NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← All engagement records

Case study May 2, 2026

ICI Bucharest: 2-Node Cluster, Cloud Proxy + Abliterated Models

Bill Rondell, Nick Adams & Dade Murphy — May 2, 2026 — case study — 2 min read — 379 words
Sector
Universities
Country
ici

NuClide Research · 2026-05-02

Summary

Institutul National de Cercetare-Dezvoltare în Informatică (ICI Bucharest), Romania’s national IT research institute, exposes two Ollama nodes. Node 1 (85.122.129.92) runs cloud proxy subscriptions (DeepSeek, MiniMax). Node 2 (85.122.129.248) is a large-model compute node with 11 models including abliterated Qwen2.5-Coder, two Dolphin uncensored models, and a custom rdv-bot with exposed system prompt, and a 72B Qwen2.5 model.

Infrastructure

NodeIPVersionModelsTags
ici-node-185.122.129.920.19.04CLOUD
ici-node-285.122.129.2480.18.311abliterated models

Subnet: 85.122.129.0/24 (ICI Bucharest ASN, Romania).

Node 1: Cloud Proxy (85.122.129.92)

ModelNotes
deepseek-v4-pro:cloudDeepSeek V4 Pro via cloud proxy
minimax-m2.7:cloudMiniMax M2.7 via cloud proxy
llama3.2:3bLocal
llama3:latestLocal

Node 2: Large Compute (85.122.129.248)

ModelCategorySystem Prompt
qwen2.5:72b72B model”You are Qwen, created by Alibaba Cloud.”
qwen2.5:14b14B model”You are Qwen, created by Alibaba Cloud.”
qwen2.5:7b-instruct-q4_K_M7B model”You are Qwen, created by Alibaba Cloud.”
huihui_ai/qwen2.5-coder-abliterate:14bAbliterated”You are a helpful assistant.”
llama3.1-8b-abliterated:latestAbliterated,
dolphin-llama3:latestUncensored”You are Dolphin, a helpful AI assistant.”
dolphin-mistral:latestUncensored”You are Dolphin, a helpful AI assistant.”
rdv-bot:latestCustom(see F2)
gemma2:9b-instruct-q4_K_MLocal,
llama3.1:8bLocal,

Findings

F1: Cloud Proxy Quota Exposure (CRITICAL)

Node 1 exposes DeepSeek V4 Pro and MiniMax M2.7 cloud proxy subscriptions without authentication. Any actor can drain ICI Bucharest’s API quotas at no cost to themselves.

F2: rdv-bot System Prompt Leaked (HIGH)

Node 2 hosts a custom rdv-bot:latest model. The rdv-bot name (Romanian: “rdv” = “rendezvous” / appointment scheduling) suggests a production chatbot, a Romanian scheduling or appointment assistant. Full system prompt accessible via /api/show.

F3: Abliterated + Uncensored Models on Research Infrastructure (HIGH)

huihui_ai/qwen2.5-coder-abliterate:14b (safety-removed) and llama3.1-8b-abliterated coexist with legitimate research models. Both dolphin-llama3 and dolphin-mistral are uncensored variants. On a national research institute’s public-facing IP, these will comply with arbitrary instructions without access control.

F4: 72B Model for Free Inference (HIGH)

qwen2.5:72b accessible without authentication. Frontier-class inference at ICI Bucharest’s compute cost.

F5: Model Injection on Both Nodes (CRITICAL)

CVE-2025-63389 applies to both nodes.

Remediation

OLLAMA_HOST=127.0.0.1:11434
systemctl restart ollama

Disclosure

  • Discovered: 2026-05-02
  • Status: Pending outreach to ICI Bucharest security team