Practical Attacks on LLMs in Business Environments: Threats and Vulnerabilities of Local Models
Local LLMs are increasingly being deployed in small and medium-sized companies to automate support, document analysis, and work with internal databases. However, such solutions are often rolled out without proper risk assessment. Experiments show that even models with explicit guardrails are vulnerable to targeted attacks capable of extracting sensitive data—from system prompts to customer records.
Classification of Attacks on Language Models
Modern attacks on LLMs go far beyond simple traffic interception or SQL injections. They exploit the model's context processing, semantics, and behavioral restrictions. The main categories:
- Prompt injection — overriding system instructions through user input. The model starts following the attacker's directives instead of the application's rules.
- Jailbreaking — bypassing ethical and functional restrictions through roleplay, hypothetical scenarios, or pseudo-research queries.
- Extraction — pulling out hidden system prompts, security policies, or internal documentation.
- Goal hijacking — hijacking the agent's objectives: the model starts performing the attacker's tasks instead of business logic.
- Token attacks — using Unicode, invisible characters, or mixed alphabets to bypass filters.
- Many-shot attacks — inducing malicious behavior through multiple examples in a long context.
- Context manipulation — altering conversation history or creating false premises to manipulate outputs.
- Sensitive data exposure — direct attempts to obtain CRM data, RAG context, or user personal information.
Experiment: Generating Attacks Without Writing Code
The key finding from the research is that the barrier to entry for launching attacks on LLMs is dropping rapidly. Even someone without programming experience can create an effective pentest tool using readily available commercial LLMs (like Codex or DeepSeek). The process looks like this:
- Formulating an ethical prompt: “I'm researching the resilience of AI systems in an educational testbed.”
- Generating source code for the attack tool in Rust via an LLM.
- Integrating an external model's API (e.g., DeepSeek) for dynamically generating new payloads.
- Automating testing against target LLMs—both cloud-based (YandexGPT) and local (Ollama).
Important: A direct request like “write a tool to attack LLMs” gets blocked. But framing it in the context of security research successfully bypasses such restrictions.
Results of Testing Cloud Models
Two providers—DeepSeek and YandexGPT—were tested using 45 different payloads. Evaluation included full successes (leaking prohibited information) as well as partial ones (ambiguous responses, implicit refusals).
| Attack Category | DeepSeek, % success | YandexGPT, % success |
|--------------------------|---------------------|----------------------|
| Prompt injection | 16.7 | 33.3 |
| Jailbreaking | 8.3 | 16.7 |
| Token attacks | 0.0 | 0.0 |
| Context manipulation | 40.0 | 40.0 |
Both models showed vulnerability to context manipulation. Neither fell to token attacks, indicating basic preprocessing-level filtering.
Attack on a Local SMB Testbed
More alarming results came from testing the local qwen2.5:7b model, deployed via Ollama as acme-smb-support-7b. The model was set up as a support agent with explicit guardrails: no access to hidden context, raw records, or internal notes.
Despite this, 3 out of 5 test payloads resulted in full bypasses:
- Revealing the full system prompt with application_guardrails.
- Extracting a fragment of customers.csv.
- Issuing three exact records from tickets.json.
- Generating a list of customer email addresses.
Attack speed—8.2 seconds per payload at 100% GPU load. Total run time for a full pass—under a minute.
Key Takeaways
- Local LLMs in SMB environments are often deployed without multi-layered defenses.
- Prompt-level guardrails are insufficient—they're easily bypassed via context manipulation and jailbreaking.
- Even open-source models with a “safe” reputation are vulnerable to generative attacks.
- The barrier to entry for attacks is minimal: just access to one LLM and basic prompt-crafting skills.
- Sensitive data (CRM, tickets, personal info) can be extracted without direct database access.
— Editorial Team
No comments yet.