NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← All engagement records

Case study May 1, 2026

City of Cartersville, GA: Local Government Ollama + Cloud Proxy Credential Leak

Bill Rondell, Nick Adams & Dade Murphy — May 1, 2026 — case study — 1 min read — 292 words
Sector
Critical Infrastructure

NuClide Research · 2026-05-01

Summary

City of Cartersville, Georgia municipal server running Ollama on Windows with one active cloud proxy subscription (DeepSeek v4 Pro). Raw Ollama port publicly accessible, no authentication. Cloud proxy 401 response leaks Ollama Connect username (Windows machine hostname) and SSH public key. Local government AI infrastructure exposed to model injection and quota drain.

Infrastructure

FieldValue
IP104.36.136.143
Domainfizziemail.0054086.xyz (Shodan hostname)
OrgCity of Cartersville
StateGeorgia, USA
OSWindows (hostname pattern: WIN-QAHP18EJH8I)
Open ports11434 (Ollama, public)

Models

ModelSizeType
deepseek-v4-pro:cloud0 GB☁️ Cloud proxy, DeepSeek API
gemma3:12b7 GBLocal
gpt-oss:20b12 GBLocal
smollm2:135m0 GBLocal

Findings

F1: Unauthenticated Ollama API (CRITICAL)

Port 11434 bound to 0.0.0.0 on a Windows machine at municipal government. No auth, no firewall.

curl http://104.36.136.143:11434/api/tags

F2: Cloud Proxy + Credential Leak (CRITICAL)

DeepSeek v4 Pro cloud proxy returns 401 with Ollama Connect credentials:

{
  "error": "unauthorized",
  "signin_url": "https://ollama.com/connect?name=WIN-QAHP18EJH8I&key=<base64>"
}

Decoded:

  • Ollama username: WIN-QAHP18EJH8I (Windows default machine name = no admin renamed it)
  • SSH pubkey: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIMKxccqkabWsNBkeqzUuLKzOAhJXKr76IS9Vjfu7eEV

The default Windows hostname (WIN- prefix + random alphanumeric) indicates this machine was never domain-joined or renamed, typical of an unmanaged standalone deployment.

F3: Model Injection on Government System (CRITICAL)

Any actor can inject system prompts into any model via CVE-2025-63389. If city staff use these models for government workflows, injected prompts affect those sessions.

Impact

Municipal government AI deployment with exposed cloud API credentials. If deepseek-v4-pro:cloud is in active use, quota can be drained at city expense. Model injection affects any government workflow using this Ollama instance.

Remediation

Windows:

OLLAMA_HOST=127.0.0.1
# In Ollama Windows settings, bind to loopback only
# Or: Windows Firewall rule blocking inbound TCP 11434

Disclosure

  • Discovered: 2026-05-01
  • Status: Pending outreach to City of Cartersville IT
  • Escalation path: CISA, MS-ISAC (state/local government sector)