Security researchers at Wiz disclosed a chain of critical vulnerabilities in NVIDIA’s Triton Inference Server that could allow unauthenticated, remote attackers to gain full control of AI inference servers.
These flaws reside primarily in the Python backend and HTTP handling logic, and when exploited in sequence, they enable remote code execution (RCE), information disclosure, denial of service (DoS), and data tampering.
NVIDIA promptly released patches in version 25.07 to address these and several other related issues. Organizations leveraging Triton for AI/ML workloads, ranging from cloud providers to research institutions, must urgently apply updates to mitigate these high-impact risks.
Background
Triton Inference Server is an open-source platform supporting model deployment from frameworks such as TensorFlow, PyTorch, and ONNX. It routes inference requests to appropriate models on CPU and GPU infrastructure, optimizing performance via shared-memory and HTTP/gRPC interfaces.
As of mid-2025, Triton serves over 25,000 customers worldwide, including major enterprises in technology, healthcare, and finance. The rapid adoption of Triton underscores its critical role in production AI, while also widening the attack surface for adversaries seeking to compromise AI pipelines.
Vulnerability Details
| CVE | Component | CVSS v3.1 | Type |
| CVE-2025-23319 | Python backend | 8.1 (High) | Out-of-bounds write |
| CVE-2025-23320 | Python backend | 7.5 (High) | Resource exhaustion / DoS |
| CVE-2025-23334 | Python backend | 5.9 (Medium) | Out-of-bounds read / Info disclosure |
CVE-2025-23319: A specially crafted inference request to the Python backend can trigger an out-of-bounds write, enabling RCE, DoS, data tampering, or information leak.
CVE-2025-23320: Sending a very large request can exceed shared-memory limits, causing information disclosure of internal IPC keys.
CVE-2025-23334: A malformed request can induce an out-of-bounds read in shared memory, leading to information disclosure.
NVIDIA’s August 4, 2025 security bulletin also includes fixes for three HTTP stack overflow flaws (CVE-2025-23310, CVE-2025-23311, CVE-2025-23317), rated Critical (9.8–9.1), which alone can lead to RCE, DoS, and data tampering.
Attack Chain
- Discovery:
Attacker locates a publicly exposed Triton endpoint via internet scanning or banner grabbing. - Memory-Name Leak (CVE-2025-23320):
A large, crafted request triggers an error revealing the unique IPC shared-memory key in an exception message (e.g., “Failed to increase the shared memory pool size for key ‘triton_python_backend_shm_region_<GUID>'”) . - Registration Abuse:
Using the leaked key, the adversary registers the internal shared-memory region via the public shared-memory API, which lacks validation on ownership. - Out-of-Bounds Manipulation (CVE-2025-23319 & CVE-2025-23334):
Crafted inference requests leverage write/read primitives to corrupt IPC control structures or read sensitive data, paving the way for arbitrary code execution. - Remote Code Execution:
With memory corrupted or manipulated, the attacker injects and executes code on the server, achieving full control.
MITRE ATT&CK Mapping
| Tactic | Technique |
| Reconnaissance | T1590: Gather Victim Host Information (HTTP banner, shared-memory errors) |
| Initial Access | T1190: Exploit Public-Facing Application (Crafted shared-memory/HTTP requests) |
| Execution | T1203: Exploitation for Client Execution (Out-of-bounds write/read leading to RCE) |
| Persistence | T1053: Scheduled Task/Job (Post-exploitation to maintain access) |
| Privilege Escalation | T1068: Exploitation for Privilege Escalation (Corrupt IPC to escalate privileges) |
| Defense Evasion | T1562: Impair Defenses (Tamper logs or security checks via corrupted memory structures) |
| Impact | T1490: Inhibit System Recovery (DoS via stack overflow, memory exhaustion) |
Impact and Risk
- Model Theft & Intellectual Property Loss: Proprietary AI models (often the most valuable assets) can be exfiltrated or destroyed once RCE is achieved.
- Data Exposure: Sensitive inference data (e.g., PII, financial records) processed by Triton may be leaked via out-of-bounds read.
- Response Manipulation: Attackers can alter model outputs, introducing backdoors, poisoned responses, or biased decisions, undermining AI reliability and compliance.
- Lateral Movement: A compromised Triton server offers a foothold for further network penetration, threatening broader infrastructure.
Given Triton’s widespread deployment in cloud and on-premises environments, the likelihood of exploitation is high until patches are applied.
Mitigation & Recommendations
- Immediate Patching: Upgrade Triton Inference Server and Python backend to version 25.07 or later.
- Restrict Network Exposure: Limit Triton’s management and inference ports (HTTP/gRPC) to trusted networks and apply network ACLs.
- Authentication & Authorization: Enforce mTLS or API-key authentication for inference endpoints; restrict shared-memory API access.
- Input Validation Fencing: Deploy an application-layer firewall to detect and block anomalously large or malformed inference requests.
- Monitoring & Logging: Enable detailed Triton logs; alert on shared-memory errors and high-volume requests.
- Incident Response Playbook: Prepare for potential RCE scenarios—snapshot/gather forensic data before patching.
Indicators of Compromise (IoCs)
| Indicator Category | Indicator Description |
| Error Patterns | Log entries containing Failed to increase the shared memory pool size for key ‘triton_python_backend_shm_region_*’ |
| Unusual API Calls | Shared-memory registration calls referencing internal region GUIDs |
| Anomalous Requests | HTTP requests with excessively large payloads targeting /v2/models/{model_name}/infer |
| Unexpected Processes | Shells or unknown binaries spawned from the Triton server process context post-exploit |
