Researchers at Wiz have identified multiple flaws in both the Windows and Linux versions of NVIDIA’s Triton open-source platform, enabling potential attackers to seize control of vulnerable servers without the need for authentication.
Overview of the Vulnerabilities
Three key vulnerabilities are at the heart of the issue, all residing in the Python backend of the Triton Inference Server, which is designed to process inference requests for AI models built with frameworks such as PyTorch and TensorFlow:
- CVE-2025-23319 (CVSS 8.1): This vulnerability allows for an out-of-bounds write operation when a specially crafted request is processed, potentially leading to remote code execution or data tampering.
- CVE-2025-23320 (CVSS 7.5): By sending an excessively large request, an attacker can exceed the shared memory limit, resulting in information leakage from protected memory areas.
- CVE-2025-23334 (CVSS 5.9): An out-of-bounds read vulnerability that could be used to leak sensitive information from the server.
Exploitation Scenario and Impact
The Wiz research team demonstrated that chaining these vulnerabilities could escalate the threat from an information disclosure issue to a complete system compromise. Using CVE-2025-23320, an attacker can first uncover the unique internal name of Triton’s inter-process communication (IPC) shared memory region—a detail that should remain confidential. Leveraging the other two vulnerabilities, the attacker is then able to gain full remote control over the inference server.
Successful exploitation poses several risks, including theft of proprietary AI models, exposure of sensitive data, manipulation of AI responses, denial of service, and a potential entry point for wider network attacks. All these can occur without attackers needing valid credentials.
Additional Bugs and Remediation
NVIDIA’s latest security bulletin also details fixes for three more critical vulnerabilities (CVE-2025-23310, CVE-2025-23311, and CVE-2025-23317), each capable of enabling remote code execution, service disruption, information exposure, or unauthorized data alteration.
NVIDIA has released version 25.07 of the Triton Inference Server, addressing all noted vulnerabilities. At present, there are no reports indicating exploitation of these flaws in the wild.
