Attackers could havestolen AI models, exposed sensitive data, manipulated AI output, and used compromised servers to launch deeper network attacks.
A critical chain of vulnerabilities has been discovered in NVIDIA’s Triton Inference Server, a widely used open-source platform for running AI models at scale.
The flaws, located in the Python backend component of Triton, can be exploited by remote, unauthenticated attackers to take complete control of affected AI servers, enabling remote code execution.
Tracked as CVE-2025-23319 (CVSS score: 8.1), CVE-2025-23320 (CVSS score: 7.5), and CVE-2025-23334 (CVSS score: 5.9), these vulnerabilities were responsibly disclosed to NVIDIA in May 2025. NVIDIA responded quickly and addressed the issues in version 25.07, released on 4 August, 2025.
Mode of attack
The attack starts by triggering a verbose error message through a specially-crafted large request, which leaks the internal shared memory region name used by the Python back end’s Inter-Process Communication (IPC). This key internal information, which should have remained private, would have then been exploited via legitimate application programming interface (API) calls to gain arbitrary read and write access to critical backend memory.
With this access, attackers can corrupt internal data structures and craft malicious IPC messages, escalating the attack to achieve remote code execution on the server. Such a compromise can lead to the theft of proprietary AI models, exposure of sensitive data processed by the models, manipulation of AI responses, and provide attackers with a foothold to pivot deeper into corporate networks.
According to the disclosure, the exploit chain leverages a flaw in the validation of Triton’s shared memory API. By registering the leaked internal key through legitimate endpoints, attackers gain read/write access to the back end’s private memory, turning standard API calls into a powerful tool for server takeover.
The security research team that disclosed the discovery of the CVEs, Wiz, have highlighted how small vulnerabilities chained together can jeopardize an entire AI infrastructure. They urge all Triton users to update immediately to the patched versions and stress the importance of defense-in-depth security strategies in AI and machine learning deployments.
