Cyber Resilience

CVE-2023-6018

CriticalPublic PoCRCE

Published: 16 November 2023

Published
16 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9127 99.7th percentile
Risk Priority 74 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-6018 is a critical-severity OS Command Injection (CWE-78) vulnerability in Lfprojects Mlflow. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain; MITRE ATLAS techniques in scope: AI Supply Chain Compromise (AML.T0010), Exfiltration via AI Inference API (AML.T0024), External Harms (AML.T0048).

Deeper analysis

CVE-2023-6018 is an unauthenticated file overwrite vulnerability affecting the MLflow machine learning platform. The flaw, assigned CWE-78, permits remote attackers to replace arbitrary files on the host server and carries a CVSS 3.1 base score of 9.8 reflecting network-accessible, low-complexity exploitation with no required credentials or user interaction.

An attacker can send crafted requests directly to a publicly reachable MLflow instance and overwrite any file on the underlying server filesystem. Successful exploitation grants full control over confidentiality, integrity, and availability of the MLflow deployment and any data or models it manages.

The current EPSS score of 0.9127, with a recorded peak of 0.9265, indicates sustained and elevated exploitation interest since disclosure. The issue is particularly relevant to AI/ML environments that rely on MLflow for experiment tracking and model management.

EU & UK References

Vulnerability details

An attacker can overwrite any file on the server hosting MLflow without any authentication.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
MLflow is an open-source platform for managing the machine learning lifecycle, including experimentation, reproducibility, and deployment, fitting under 'Other Platforms' as it is not a framework, library, or specific AI sub-domain tool.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
T1098.004 SSH Authorized Keys Persistence
Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host.
T1053.003 Cron Execution
Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.
T1543.002 Systemd Service Persistence
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
T1685.006 Clear Linux or Mac System Logs Defense Impairment
Adversaries may clear system logs to hide evidence of an intrusion.
Why these techniques?

Unauthenticated arbitrary file overwrite on MLflow server facilitates initial access via public-facing app exploitation (T1190), persistence through web shells (T1505.003), SSH authorized keys (T1098.004), cron jobs (T1053.003), and systemd services (T1543.002), impairing defenses (T1562.001), and clearing logs (T1070.002).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0010: AI Supply Chain CompromiseAML.T0024: Exfiltration via AI Inference APIAML.T0048: External Harms

Affected Assets

lfprojects
mlflow
all versions

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References