Zenity Labs has revealed that its network of decoy systems, built to look and behave like real enterprise AI, drew thousands of real-world attack attempts, and it observed attackers hijacking that infrastructure to attack third parties and power their own operations.
The gateway at the center is LiteLLM, one of the most widely deployed tools for routing traffic across large enterprise AI environments. That position makes it a high-value target: compromise the gateway and an attacker can reach the credentials and traffic flowing through it.
LiteLLM has had a difficult year, with several serious vulnerabilities disclosed, including the high-severity remote code execution flaw CVE-2026-40217, as well as separate vulnerabilities that were added to CISA’s KEV catalog after being actively exploited in the wild.
The speed of exploitation stood out. The company reported hundreds of exploitation attempts against the Remote Code Execution (RCE) flaw on the same day it was patched, followed by weeks of further probing. That timing fits a wider pattern security agencies have warned about, in which the window between a fix becoming public and attackers acting on it is collapsing.
In one case, Zenity said an intruder deployed an autonomous AI penetration-testing tool and pointed it at a live e-commerce site. In others, attackers allegedly used the captured systems as free computing power for their own workloads, an AI-era twist on cryptomining, and routed multi-step agent workflows through the hijacked infrastructure.
A New Surface Security Teams Do Not Watch
The through-line is that AI infrastructure has become both a weapon and a target, sitting in a blind spot for most organizations. The same autonomous, agent-driven capabilities enterprises deploy for productivity can be turned against others when the systems running them are left exposed.
Attackers “exploited n-day vulnerabilities and tried to leverage our AI resources to conduct real-world attacks,” said Michael Bargury, Zenity’s co-founder and Chief Technology Officer (CTO), describing how the traps drew intruders into revealing their methods.
The practical takeaway is that an AI gateway is critical infrastructure, holding credentials and routing sensitive traffic, and belongs under the same monitoring, patching, and access control as any other system that can become a foothold.