Critical Vulnerabilities in Nvidia's Triton Inference Server Expose AI Models to Potential Attacks

Nvidia patches bug chain leading to total Triton takeover

Wiz Research details flaws in Python backend that expose AI models and enable remote code execution Security researchers have lifted the lid on a chain of high-severity vulnerabilities that could lead to remote code execution (RCE) on Nvidia's Triton Inference Server. Wiz Research said that if the three vulnerabilities they discovered and reported to Nvidia were exploited successfully, the potential consequences could include AI model theft, sensitive data breaches, manipulation of AI model responses, or attackers moving into other areas of the network. Nvidia has now patched the bugs affecting Triton Inference Server, an open source platform for running AI models and serving them to user-facing apps. Triton Inference Server was designed by Nvidia to be able to run models from any major AI framework, and it does this using different backends, each of which is dedicated to a specific framework. Triton's Python backend, however, is called upon by frameworks other than Python itself, making it one of the most versatile backends that the server supports. This wider reliance on Python means that any security weaknesses found here could significantly increase the number of organizations affected. The first vulnerability (CVE-2025-23320 - 7.5) relates to a bug in the Python backend, triggered by exceeding the shared memory limit, using a very large request. This causes an error message that reveals the unique name (key) of the backend's internal IPC shared memory region in full. Using the newfound unique memory region name, attackers can combine it with the public shared memory API to take control of a Triton Inference Server. An attacker can take advantage of this API's sub-par validation to exploit out-of-bounds write and read bugs - CVE-2025-23319 (8.1) and CVE-2025-23334 (5.9) respectively. Because the API fails to check whether the attacker-supplied key (the unique shared memory name) corresponds to a legitimate user-owned region or a private internal one, Triton will accept the attacker's registration endpoint request, allowing them to read from and write to that region. With the ability to manipulate the backend's shared memory, attackers can gain full control of the server. Wiz did not say whether the bug chain had been exploited in the wild, adding that it would refrain from publishing further details at this time. "This research demonstrates how a series of seemingly minor flaws can be chained together to create a significant exploit," said the team behind the findings. "A verbose error message in a single component [and] a feature that can be misused in the main server were all it took to create a path to potential system compromise. "As companies deploy AI and ML more widely, securing the underlying infrastructure is paramount. This discovery highlights the importance of defense-in-depth, where security is considered at every layer of an application." Nvidia confirmed that all three security flaws were patched in version 25.07, which was released on August 4, and all versions prior are vulnerable. The Wiz team said: "We would like to thank the Nvidia security team for their excellent collaboration and swift response. "We strongly recommend all Triton Inference Server users update to the latest version." Triton has been used for several years by organizations of various sizes, although Nvidia launched Dynamo earlier this year, which is positioned as Triton's successor. ®

NVIDIA Triton Bugs Let Unauthenticated Attackers Execute Code and Hijack AI Servers

A newly disclosed set of security flaws in NVIDIA's Triton Inference Server for Windows and Linux, an open-source platform for running artificial intelligence (AI) models at scale, could be exploited to take over susceptible servers. "When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE)," Wiz researchers Ronen Shustin and Nir Ohfeld said in a report published today. The vulnerabilities are listed below - * CVE-2025-23319 (CVSS score: 8.1) - A vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by sending a request * CVE-2025-23320 (CVSS score: 7.5) - A vulnerability in the Python backend, where an attacker could cause the shared memory limit to be exceeded by sending a very large request * CVE-2025-23334 (CVSS score: 5.9) - A vulnerability in the Python backend, where an attacker could cause an out-of-bounds read by sending a request Successful exploitation of the aforementioned vulnerabilities could result in information disclosure, as well as remote code execution, denial of service, data tampering in the case of CVE-2025-23319. The issues have been addressed in version 25.07. The cloud security company said the three shortcomings could be combined together that transforms the problem from an information leak to a full system compromise without requiring any credentials. Specifically, the problems are rooted in the Python backend that's designed to handle inference requests for Python models from any major AI frameworks such as PyTorch and TensorFlow. In the attack outlined by Wiz, a threat actor could exploit CVE-2025-23320 to leak the full, unique name of the backend's internal IPC shared memory region, a key that should have remained private, and then leverage the remaining two flaws to gain full control of the inference server. "This poses a critical risk to organizations using Triton for AI/ML, as a successful attack could lead to the theft of valuable AI models, exposure of sensitive data, manipulating the AI model's responses, and a foothold for attackers to move deeper into a network," the researchers said. NVIDIA's August bulletin for Triton Inference Server also highlights fixes for three critical bugs (CVE-2025-23310, CVE-2025-23311, and CVE-2025-23317) that, if successfully exploited, could result in remote code execution, denial of service, information disclosure, and data tampering. While there is no evidence that any of these vulnerabilities have been exploited in the wild, users are advised to apply the latest updates for optimal protection.

Security flaws in key Nvidia enterprise tool could have let hackers run malware on Windows and Linux systems

A patch has been released, so users should update immediately Nvidia Triton Inference Server carried three vulnerabilities which, when combined, could lead to remote code execution (RCE) and other risks, security experts from Wiz have warned Triton is a free open source tool working on both Windows and Linux which helps companies run AI models efficiently on servers, whether in the cloud, on-site, or at the edge. It supports many popular AI frameworks and speeds up tasks by handling multiple models at once and grouping similar requests together. Wiz found three flaws in the Python backend: CVE-2025-23319 (out-of-bounds write bug with an 8.1/10 severity score), CVE-2025-23320 (shared memory limit exceeding vulnerability with a 7.5/10 severity score), and CVE-2025-23334 (an out-of-bounds vulnerability with a 5.9/10 score). "When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE)," Wiz said in its security advisory. The risk is real, too, they added, stressing that companies stand to lose sensitive data: "This poses a critical risk to organizations using Triton for AI/ML, as a successful attack could lead to the theft of valuable AI models, exposure of sensitive data, manipulating the AI model's responses, and a foothold for attackers to move deeper into a network," the researchers added. Nvidia said it addressed the issues in version 25.07, and users are "strongly recommended" to update to the latest version as soon as possible. At press time, there were no reports of anyone abusing these flaws in the wild, however many cybercriminals will wait until a vulnerability is disclosed to target organizations that aren't that diligent when patching and keep their endpoints vulnerable for longer periods of time.

Nvidia releases update for 'critical' vulnerabilities in AI stack

Triton is Nvidia's open-source inference server designed to optimize AI model deployment, now at the center of newly disclosed security vulnerabilities. Technology company Nvidia released on Saturday a software update to patch vulnerabilities in its Triton server, which clients use for artificial intelligence models. The vulnerabilities, which cybersecurity company Wiz calls "critical," could lead to the takeover of AI models, data theft and response manipulation if not patched. "Wiz Research found a chain of vulnerabilities that, when combined, could let an attacker with no prior access take full control of an AI server," Wiz head of vulnerability research Nir Ohfeld told Cointelegraph. "The attack starts with a minor bug that causes the server to leak a small piece of secret internal data," he said. "An attacker can then use that data to trick one of the server's legitimate features into giving them control over a private system component. This initial foothold is all they need to escalate their privileges and achieve a complete server takeover." Triton is an open-source inference software designed by Nvidia to optimize artificial intelligence models. While the full scope of customers who use Triton is unknown, some big-name enterprises have been cited as employing it, including Microsoft, Amazon, Oracle, Siemens and American Express. According to a 2021 press release, over 25,000 companies use Nvidia's AI stack. An Nvidia spokesperson declined to comment beyond referring to the company's security bulletin. The disclosed vulnerabilities were assigned the identifiers CVE-2025-23319, CVE-2025-23320 and CVE-2025-23334. "The single most important step is to update to the patched version of the Nvidia Triton Inference Server (version 25.07 or newer)," Ohfeld told Cointelegraph. "This directly fixes the entire vulnerability chain." Ohfeld added that as of now, "we have not seen evidence of these specific vulnerabilities being exploited in the wild. However, Nvidia Triton is a very popular and widely used platform for AI workloads." Related: 5 smart contract vulnerabilities: How to identify and mitigate them Security vulnerabilities have hampered emerging technologies in 2025, including crypto, where exploits have led to the theft of billions of dollars worth of digital assets. According to Hacken, a blockchain security auditor, access flaws and smart contract bugs are contributing to the $3.1 billion lost in crypto exploits in the first half of 2025. That amount already exceeds the total lost in 2024. Meanwhile, according to some experts, AI agents and quantum computing are likely to pose new cyber threats.

Wiz finds exploit chain in Nvidia AI inference software

Wiz researchers discovered a vulnerability chain in Nvidia Triton enabling full AI server takeover without prior access. Nvidia released a software update on Saturday to address critical vulnerabilities in its Triton server, identified by cybersecurity firm Wiz, which could enable AI model takeover, data theft, and response manipulation. The vulnerabilities, deemed "critical" by Wiz, pertain to Nvidia's Triton server, employed by clients to execute artificial intelligence models. Failure to patch these vulnerabilities could result in unauthorized control of AI models, exfiltration of sensitive data, and manipulation of AI responses. Nir Ohfeld, Wiz's Head of Vulnerability Research, stated that Wiz Research discovered a vulnerability chain allowing an attacker with no prior access to gain complete control of an AI server. This attack initiates with a minor bug that causes the server to leak a small piece of secret internal data. An attacker can then leverage this leaked data to exploit one of the server's legitimate features, thereby gaining control over a private system component, which provides the initial foothold necessary to escalate privileges and achieve a full server takeover. Triton functions as an open-source inference software developed by Nvidia, designed to optimize the deployment and performance of artificial intelligence models. While the complete roster of Triton users remains undisclosed, prominent enterprises such as Microsoft, Amazon, Oracle, Siemens, and American Express utilize the software. A 2021 press release indicated that over 25,000 companies employ Nvidia's AI stack. Nvidia's spokesperson did not provide further comments beyond referring to the company's security bulletin regarding these issues. The vulnerabilities have been officially assigned the identifiers CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334. Nvidia extends Windows 10 support, adds G-Sync monitors Ohfeld emphasized that the most crucial step for users is to update to the patched version of the Nvidia Triton Inference Server, specifically version 25.07 or newer, as this directly resolves the entire vulnerability chain. He also noted that there is currently no evidence of these specific vulnerabilities being actively exploited in real-world scenarios, despite Nvidia Triton being a widely used platform for AI workloads. Emerging technologies have faced significant security vulnerabilities in 2025. In the cryptocurrency sector, for example, exploits have led to substantial financial losses. Hacken, a blockchain security auditor, reported that access flaws and smart contract bugs contributed to $3.1 billion lost in crypto exploits during the first half of 2025. This amount surpasses the total losses recorded throughout 2024.