A critical vulnerability chain in NVIDIA\u2019s Triton<\/a> Inference Server that allows unauthenticated attackers to achieve complete remote code execution (RCE) and gain full control over AI servers.\u00a0<\/p>\n The vulnerability chain, identified as CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334, exploits the server\u2019s Python backend through a sophisticated three-step attack process involving shared memory manipulation.<\/p>\n The vulnerability chain targets NVIDIA Triton Inference Server, a widely-deployed open-source platform used for running AI models at scale across enterprises.\u00a0<\/p>\n Wiz Research responsibly disclosed<\/a> the findings to NVIDIA with patches released on August 4, 2025.\u00a0<\/p>\n The attack begins with a minor information leak but escalates to complete system compromise, posing critical risks including theft of proprietary AI models, exposure of sensitive data, manipulation of AI model responses, and providing attackers with network pivot points.<\/p>\n The vulnerability specifically affects the Python backend, one of the most popular and versatile backends in the Triton ecosystem.\u00a0<\/p>\n This backend not only serves Python-written models but also acts as a dependency for other backends, significantly expanding the potential attack surface.\u00a0<\/p>\n Organizations using Triton for AI\/ML operations<\/a> face immediate threats to their intellectual property and operational security.<\/p>\n The attack chain employs a sophisticated Inter-Process Communication (IPC) exploitation method through shared memory regions located at \/dev\/shm\/.\u00a0<\/p>\n Step 1 involves triggering an information disclosure vulnerability through crafted large requests that cause exceptions, revealing the backend\u2019s internal shared memory name in error messages like \u201cFailed to increase the shared memory pool size for key \u2018triton_python_backend_shm_region_4f50c226-b3d0-46e8-ac59-d4690b28b859\u2032\u201d.<\/p>\n Step 2 exploits Triton\u2019s user-facing shared memory API, which lacks proper validation to distinguish between legitimate user-owned regions and private internal ones.\u00a0<\/p>\n Attackers can register the leaked internal shared memory key through the registration endpoint, gaining read\/write primitives into the Python backend\u2019s private memory containing critical data structures and control mechanisms.<\/p>\n Step 3 leverages this memory access to corrupt existing data structures, manipulate pointers like MemoryShm and SendMessageBase for out-of-bounds memory access, and craft malicious IPC messages to achieve remote code execution.<\/p>\n NVIDIA has released patches in Triton Inference Server version 25.07, and organizations must update immediately.\u00a0<\/p>\n The vulnerability affects both the main server and Python backend components, requiring comprehensive updates across all deployments.\u00a0<\/p>\n Wiz customers can utilize specialized detection queries through the Vulnerability Findings page and Security Graph to identify vulnerable instances, including publicly exposed VMs, serverless functions, and containers.<\/p>\n The post NVIDIA Triton Vulnerability Chain Let Attackers Take Over AI Server Control<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nKey Takeaways<\/strong>
1. CVE-2025-23319 chain allows attackers to take over NVIDIA Triton AI servers fully.
2. Exploits error messages to leak memory names, then abuses the shared memory API for remote code execution.
3. Update immediately - affects widely-used AI deployment infrastructure.<\/pre>\nVulnerability Chain Targets NVIDIA Triton Inference Server<\/strong><\/h2>\n
Integrate ANY.RUN TI Lookup<\/strong> with your SIEM or SOAR To Analyses Advanced Threats<\/strong> -> Try 50 Free Trial Searches<\/a> <\/strong><\/code><\/p>\n
![\"NVIDIA](\"https:\/\/lh7-rt.googleusercontent.com\/docsz\/AD_4nXeVo2jswoHlH3wxhgrmwhdSlekVLrc78M14M0CeyVcbmMaxZ100K_FjJiLOX_RcAOVj7OZH_oLoDwctgro9V7MjJOtd8CbT6OFeX64j2r4o9pKbcer-Ii_thpl8qF8sYxUjMiM2mA?key=DxfV0SS93gnnimL2Vkz3gg\")