Executive Summary
In late 2025 and early 2026, threat actors launched coordinated campaigns to identify and exploit misconfigured proxy servers providing unauthorized access to commercial large language model (LLM) services. Using enumeration techniques and server-side request forgery (SSRF) vulnerabilities, attackers probed over 73 LLM endpoints—like OpenAI, Anthropic, and Google Gemini—producing more than 80,000 sessions. Their tactics included low-noise queries to bypass security alerts, the injection of malicious registry URLs, and Twilio SMS webhooks. While the activity appeared research-oriented at times, the scale and automated reconnaissance efforts were indicative of broader malicious reconnaissance likely intended for future exploitation or abuse of these valuable AI assets.
This incident underscores a broader rise in cloud misconfiguration attacks and highlights escalating threats targeting AI infrastructure. As reliance on LLM APIs grows, so too does the risk of credential abuse and exploitation, placing new urgency on proactive cloud security, real-time monitoring, and zero trust principles across managed AI services.
Why This Matters Now
With widespread adoption of generative AI and LLMs, attackers are rapidly pivoting toward infrastructure misconfigurations as high-value entry points. The scale, automation, and sophistication of these campaigns demonstrate that exposed LLM services are being mapped and catalogued for future exploitation, making early detection and advanced segmentation controls more urgent than ever.
Attack Path Analysis
The attackers scanned the internet for misconfigured proxy servers exposing paid LLM service endpoints, enabling unauthorized access (Initial Compromise). No evidence suggests direct privilege escalation, though attackers may have leveraged available permissions to interact with model registries (Privilege Escalation). From the compromised endpoints, attackers probed multiple LLM services and registries, potentially pivoting between models or host systems (Lateral Movement). Communication back to attacker infrastructure occurred via OAST callbacks and registry URL injections, maintaining external connectivity (Command & Control). While no confirmed data exfiltration was detected, the misuse of registry pulls and webhook integrations carried exfiltration potential (Exfiltration). Ultimately, the impact in observed cases was limited to infrastructure mapping and resource abuse, but risks included service theft and potential model tampering (Impact).
Kill Chain Progression
Initial Compromise
Description
Attackers identified and accessed misconfigured proxy endpoints publicly exposing commercial LLM services without adequate restriction.
Related CVEs
CVE-2025-13579
CVSS 7.5A vulnerability in proxy server configurations allows unauthorized access to internal LLM services.
Affected Products:
Various Proxy Servers – All versions with misconfigured access controls
Exploit Status:
active scanning observedCVE-2025-24035
CVSS 8.1A remote code execution vulnerability in Windows Remote Desktop Services due to sensitive data storage in improperly locked memory.
Affected Products:
Microsoft Windows Server – 2008 R2, 2008, 2012 R2, 2012, 2016, 2019, 2022, 2025
Exploit Status:
no public exploitCVE-2025-24045
CVSS 8.1A remote code execution vulnerability in Windows Remote Desktop Services due to a race condition.
Affected Products:
Microsoft Windows Server – 2008 R2, 2008, 2012 R2, 2012, 2016, 2019, 2022, 2025
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
These technique mappings align with LLM endpoint enumeration, misconfigured proxy exploitation, and system discovery as described. Further enrichment with STIX/TAXII feeds recommended.
Network Service Discovery
Exploit Public-Facing Application
Exploitation of Remote Services
External Remote Services
Gather Victim Identity Information
Brute Force
Trusted Relationship
Email Collection
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Restrict Public Access to System Components
Control ID: 1.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Implement Least Privilege and Strong Authentication
Control ID: Identity Pillar - Least Privilege Access
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Cloud misconfiguration threats targeting LLM proxies expose software companies' AI infrastructure to unauthorized access, requiring enhanced egress security and multicloud visibility controls.
Information Technology/IT
Systematic enumeration of misconfigured proxy servers accessing commercial LLM services demands zero trust segmentation and threat detection capabilities for IT infrastructure protection.
Financial Services
LLM proxy vulnerabilities threaten sensitive financial data through unauthorized AI service access, necessitating encrypted traffic controls and compliance with strict regulatory frameworks.
Computer/Network Security
Grey-hat operations exploiting SSRF vulnerabilities in LLM endpoints highlight critical need for enhanced anomaly detection and inline intrusion prevention system deployment.
Sources
- Hackers target misconfigured proxies to access paid LLM serviceshttps://www.bleepingcomputer.com/news/security/hackers-target-misconfigured-proxies-to-access-paid-llm-services/Verified
- Threat Actors Actively Targeting LLMshttps://www.greynoise.io/blog/threat-actors-actively-targeting-llmsVerified
- Security Advisory 2025-009https://cert.europa.eu/publications/security-advisories/2025-009/pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, cloud-native firewalling, egress policy enforcement, and multi-cloud visibility as described in CNSF controls would have narrowed the attack surface, identified anomalous traffic, and blocked outbound callbacks or lateral pivoting attempts. Proper enforcement would have prevented unauthorized access to LLM endpoints, stopped SSRF-fueled registry abuse, and limited attacker movements within and outbound from the environment.
Control: Zero Trust Segmentation
Mitigation: Unauthorized access to endpoints prevented by enforcing least-privilege, identity-based access policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: SSRF exploitation attempts detected and blocked at the fabric layer.
Control: East-West Traffic Security
Mitigation: Internal lateral movement attempts detected and contained.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 channels to untrusted domains are detected or blocked.
Control: Cloud Firewall (ACF)
Mitigation: Outbound data exfiltration via cloud misconfig paths is prevented.
Anomalous behaviors and enumeration patterns are rapidly detected and containable.
Impact at a Glance
Affected Business Functions
- AI Service Delivery
- Customer Support
- Internal Development Tools
Estimated downtime: 3 days
Estimated loss: $500,000
Potential unauthorized access to proprietary AI models and sensitive customer data processed by LLM services.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict LLM and proxy endpoints to only required, trusted identities and networks.
- • Enforce robust egress controls using domain filtering and URL inspection to block unauthorized outbound connections and registry pulls.
- • Continuously monitor for anomalous API behaviors and session patterns indicative of scanning or enumeration using advanced threat detection capabilities.
- • Apply microsegmentation and east-west security policies to contain potential lateral movement between cloud workloads and services.
- • Regularly audit cloud and proxy configurations for exposure, leveraging centralized multi-cloud visibility to rapidly detect and remediate misconfigurations.
