CVE-2025-23319
published 2025-08-06CVE-2025-23319: NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by…
PriorityP258critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.53%
71.6th percentile
NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by sending a request. A successful exploit of this vulnerability might lead to remote code execution, denial of service, data tampering, or information disclosure.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nvidia | triton_inference_server | < 25.07 | 25.07 |
| nvidia | triton_inference_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthorized registration of shared memory keys matching the pattern 'triton_python_backend_shm_region_*' via the Triton API — this indicates an attacker attempting to register the server's internal IPC shared memory region. ↗
- →Alert on unauthenticated inference requests that reference internal shared memory regions (keys prefixed with 'triton_python_backend_shm_region_') — the API does not validate whether the provided shared memory key is user-owned or internal. ↗
- →Detect exploitation attempts by monitoring for manipulation of IPC message queues in the Python backend's shared memory, particularly involving structures named 'MemoryShm' or 'SendMessageBase'. ↗
- →Flag verbose error messages from the Triton Python backend that leak internal shared memory region names — these are the initial information disclosure step in the exploit chain. ↗
- ·The exploit chain requires the attacker to first obtain the internal shared memory region name via an information leak (verbose error message); without this leaked name, the subsequent write primitive is not directly accessible. ↗
- ·The Python backend is a dependency for several other backends, meaning models not explicitly configured to use Python may still be affected through indirect use of the vulnerable component. ↗
- ·Full technical exploitation details (beyond the read/write primitive via shared memory registration) have been withheld by Wiz Research and are not publicly available. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Wiz
What Is AI Threat Intelligence? Real Risks to AI Systems Explained | Wiz
blogs_wiz·2025-12-23
What Is AI Threat Intelligence? Real Risks to AI Systems Explained | Wiz
## What is AI threat intelligence?
AI threat intelligence is the practice of understanding, tracking, and operationalizing threats that target AI systems – along with using advanced analytics to scale how that intelligence is produced and applied. At its core, it focuses on how attackers abuse, compromise, or exploit AI models, data pipelines, and the cloud infrastructure that supports them.
This distinguishes AI threat intelligence from adjacent disciplines like threat detection or SOC automation . While detection focuses on identifying suspicious activity as it occurs, threat intelligence is concerned with patterns, techniques, and trends – how threats evolve over time, which systems they target, and what conditions make those attacks viable in real environments.
AI systems require th
Wiz
What Is AI Threat Intelligence? Real Risks to AI Systems Explained | Wiz
blogs_wiz·2025-12-23
What Is AI Threat Intelligence? Real Risks to AI Systems Explained | Wiz
## What is AI threat intelligence?
AI threat intelligence is the practice of understanding, tracking, and operationalizing threats that target AI systems – along with using advanced analytics to scale how that intelligence is produced and applied. At its core, it focuses on how attackers abuse, compromise, or exploit AI models, data pipelines, and the cloud infrastructure that supports them.
This distinguishes AI threat intelligence from adjacent disciplines like threat detection or SOC automation. While detection focuses on identifying suspicious activity as it occurs, threat intelligence is concerned with patterns, techniques, and trends – how threats evolve over time, which systems they target, and what conditions make those attacks viable in real environments.
AI systems require thi
Wiz
AI Cyberattacks: How attackers target AI, and use AI against you | Wiz
blogs_wiz·2025-11-14
AI Cyberattacks: How attackers target AI, and use AI against you | Wiz
## What are AI cyberattacks?
AI cyberattacks are threats that either target AI systems – models, pipelines, agents, APIs, and the sensitive data behind them – or use AI to enhance or automate traditional attack techniques .
These attacks differ from traditional cyber threats in scale and autonomy. Attackers can now automate reconnaissance, generate exploits, bypass safety guardrails, manipulate AI agents, or poison training data across distributed cloud environments. Wiz Research has highlighted this shift across multiple investigations, including its AI attack surface mapping and its analysis of insecure vibe-generated app code .
Wiz has also demonstrated how the AI ecosystem introduces new patterns of exposure , including:
widespread AI secret leakage across GitHub in the Forbes AI 5
Wiz
AI Cyberattacks: How attackers target AI, and use AI against you | Wiz
blogs_wiz·2025-11-14
AI Cyberattacks: How attackers target AI, and use AI against you | Wiz
## What are AI cyberattacks?
AI cyberattacks are threats that either target AI systems – models, pipelines, agents, APIs, and the sensitive data behind them – or use AI to enhance or automate traditional attack techniques.
These attacks differ from traditional cyber threats in scale and autonomy. Attackers can now automate reconnaissance, generate exploits, bypass safety guardrails, manipulate AI agents, or poison training data across distributed cloud environments. Wiz Research has highlighted this shift across multiple investigations, including its AI attack surface mapping and its analysis of insecure vibe-generated app code.
Wiz has also demonstrated how the AI ecosystem introduces new patterns of exposure, including:
- widespread AI secret leakage across GitHub in the Forbes AI 50
Wiz
Crying Out Cloud Newsletter - September 2025 | Wiz
blogs_wiz·2025-09-07·CVSS 8.1
[HIGH] Crying Out Cloud Newsletter - September 2025 | Wiz
Welcome back! In this edition, we bring you the latest in cloud security - noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
## 🔍 Highlights
s1ngularity: Supply Chain Attack Leaks Secrets on GitHub
On August 26, 2025, multiple malicious versions of the widely used Nx build system package were published to the npm registry. These versions contained a post-installation malware script designed to harvest sensitive developer assets, including cryptocurrency wallets, GitHub and npm tokens, SSH keys, and more. The malware leveraged AI command-line tools (including Claude, Gemini, and Q) to aid in their reconnaissance efforts, and then exfiltrated the stolen data to publicly accessible attacker-created repositories within victims’ GitHub accounts.
Learn more in
Wiz
Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover | Wiz Blog
blogs_wiz·2025-08-04·CVSS 9.0
[CRITICAL] Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover | Wiz Blog
The Wiz Research team has discovered a chain of critical vulnerabilities in NVIDIA's Triton Inference Server, a popular open-source platform for running AI models at scale. When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE).
This attack path originates in the server's Python backend and starts with a minor information leak that cleverly escalates into a full system compromise. This poses a critical risk to organizations using Triton for AI/ML, as a successful attack could lead to the theft of valuable AI models, exposure of sensitive data, manipulating the AI model's responses and a foothold for attackers to move deeper into a network.
Wiz Research responsibly disclosed
Wiz
Posts by Ronen Shustin | Wiz
blogs_wiz·2025-08-04·CVSS 8.1
CVE-2025-23319 [HIGH] Posts by Ronen Shustin | Wiz
## Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover
Wiz Research discovers a critical vulnerability chain allowing unauthenticated attackers to take over NVIDIA's Triton Inference Server.
Wiz
Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover | Wiz Blog
blogs_wiz·2025-08-04·CVSS 9.0
CVE-2025-23319 [CRITICAL] Breaking NVIDIA Triton: CVE-2025-23319 - A Vulnerability Chain Leading to AI Server Takeover | Wiz Blog
The Wiz Research team has discovered a chain of critical vulnerabilities in NVIDIA's Triton Inference Server, a popular open-source platform for running AI models at scale. When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE).
This attack path originates in the server's Python backend and starts with a minor information leak that cleverly escalates into a full system compromise. This poses a critical risk to organizations using Triton for AI/ML, as a successful attack could lead to the theft of valuable AI models, exposure of sensitive data, manipulating the AI model's responses and a foothold for attackers to move deeper into a network.
Wiz Research responsibly disclosed
2025-08-06
Published