New NVIDIA Triton AI Server Flaws Could Let Hackers Hijack Systems Remotely
If your organization relies on NVIDIA’s Triton Inference Server for deploying AI models, now’s the time to pay attention. A new set of security vulnerabilities could let attackers remotely take control of AI servers running both Linux and Windows—without needing a password.
Cybersecurity researchers at Wiz revealed three newly disclosed flaws that could be chained together to achieve remote code execution (RCE), data leaks, and denial-of-service (DoS) attacks. These bugs, found in Triton’s Python backend, pose a critical risk to any enterprise deploying AI models with this open-source tool.
The Vulnerabilities in Detail
The three CVEs disclosed by Wiz researchers Ronen Shustin and Nir Ohfeld include:
CVE-2025-23319 (CVSS 8.1): An out-of-bounds write flaw that could lead to remote code execution.
CVE-2025-23320 (CVSS 7.5): A memory overflow vulnerability that allows attackers to exceed shared memory limits.
CVE-2025-23334 (CVSS 5.9): An out-of-bounds read vulnerability, enabling unauthorized data access.
Individually, these bugs are serious. But when chained, they allow an unauthenticated attacker to go from information leakage to full server takeover.
How the Exploit Works
The root of the problem lies in Triton’s Python backend, which is used to handle AI inference requests from popular frameworks like TensorFlow and PyTorch.
Here’s how the attack chain unfolds:
The attacker first exploits CVE-2025-23320 to leak the internal name of Triton’s shared memory region—a key piece of information that should remain private.
Next, CVE-2025-23334 is used to read sensitive data from this memory space.
Finally, the attacker abuses CVE-2025-23319 to write malicious data and execute code remotely.
The implications? Full control over the AI inference server, including the ability to steal AI models, manipulate outputs, exfiltrate sensitive data, or move laterally across networks.
Patch Now: Version 25.07 Addresses the Flaws
NVIDIA has released patches in Triton Inference Server version 25.07 to fix these vulnerabilities. In its latest security bulletin, NVIDIA also addressed three other critical flaws—CVE-2025-23310, CVE-2025-23311, and CVE-2025-23317—which carry similar risks like remote code execution, denial-of-service, and data tampering.
There is no evidence that these vulnerabilities have been exploited in the wild, but given the low barrier to entry (no authentication needed), the window for opportunistic attacks is real.
Why This Matters: AI Infrastructure Is Now a Prime Target
This isn’t just a bug report—it’s another signal that AI infrastructure is becoming a high-value target for attackers. Triton is widely used in cloud-based machine learning pipelines, making it a tempting vector for supply chain attacks or intellectual property theft.
With organizations increasingly embedding AI models into business-critical systems, a vulnerability like this doesn’t just threaten uptime—it can compromise data integrity, model accuracy, and organizational trust.
It also raises a broader question: How well are AI tools, particularly open-source ones, prepared for the security challenges of production environments?
