NuClide Research
Most recent
navigate open esc close Corpus index built 2026-06-07 23:58 UTC

← Research library

CRITICAL · Disclosure May 4, 2026

Pk Comsats Resend

Bill Rondell, Nick Adams & Dade Murphy — May 4, 2026 — critical · disclosure — 1 min read — 319 words

To: arsaeed@comsats.net.pk Cc: abuse@nuclide-research.com Subject: Unauthenticated AI inference endpoint, COMSATS University (203.124.40.57) [resend, contact via RIPE abuse-mailbox]

Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com

2026-05-04

Re: Unauthenticated Ollama AI inference endpoint, COMSATS University IP / Host: 203.124.40.57 Severity: CRITICAL

I’m an independent security researcher conducting good-faith AI infrastructure research under the NuClide Research umbrella (CISA disclosures CVE-2025-4364, ICSA-25-140-11). This is an unsolicited coordinated-disclosure resend.

Note on previous attempts: I sent this disclosure on 2026-05-04 to security@comsats.edu.pk and abuse@comsats.edu.pk; both addresses bounced with 554 5.4.14 hop-count exceeded (Microsoft 365 mail-loop misconfiguration at pern.onmicrosoft.com). RIPE WHOIS for the IP block lists arsaeed@comsats.net.pk as the registered abuse-mailbox, resending here. Apologies for the noise if this reaches the wrong inbox.

Summary

COMSATS University has an Ollama instance at 203.124.40.57:11434 with two MedGemma medical AI models (27B + 4B) alongside a Kimi K2.6 cloud proxy. The server is publicly reachable without authentication.

Models

ModelSizeNotes
kimi-k2.6:cloud0 GBCloud proxy (returns 401, no credential leak)
puyangwang/medgemma-27b-it:q829.6 GBGoogle MedGemma 27B medical AI
thiagomoraes/medgemma-1.5-4b-it:F168.6 GBMedGemma 1.5B instruct
gemma4:26b18.0 GB,
qwen3.6:latest23.9 GB,
gemma3:12b8.1 GB,
llama3.2:3b2.0 GB,

Findings

  • F1, Medical AI exposed unauth (HIGH), MedGemma 27B + 4B accessible to any internet caller; CVE-2025-63389 model injection allows altering the medical AI’s system prompt.
  • F2, Cloud proxy present (MEDIUM), Kimi K2.6 cloud proxy reachable; no credential leak in the 401 response, but the operator’s billing is at risk if config changes.
  • F3, CVE-2025-63389 injectable (HIGH), All models on the instance are injectable.

One-line fix

OLLAMA_HOST=127.0.0.1:11434
systemctl restart ollama

Rebinds Ollama to loopback only. If in Docker: docker run -p 127.0.0.1:11434:11434 ollama/ollama.

Reference

Full case study: AI-LLM-Infrastructure-OSINT/blob/main/case-studies/universities/PK/comsats.md

Disclosure-outcome tracker (this batch): AI-LLM-Infrastructure-OSINT/blob/main/disclosures/outcomes-2026-05-04.md

I’m happy to answer questions or assist with verification.

Regards, Nicholas Michael Kloster / NuClide Research nicholas@nuclide-research.com AI-LLM-Infrastructure-OSINT