CVE-2025-23316
Published: 17 September 2025
Summary
CVE-2025-23316 is a critical-severity OS Command Injection (CWE-78) vulnerability in Nvidia Triton Inference Server. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 36.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-23316 by requiring timely patching of the vulnerable Python backend in NVIDIA Triton Inference Server to eliminate the OS command injection flaw.
Validates the model name parameter in model control APIs to prevent malicious input leading to remote code execution via OS command injection.
Enforces boundary protection at network interfaces to restrict remote unauthenticated access to the vulnerable model control APIs in Triton Inference Server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated RCE via OS command injection in public-facing model control APIs of Triton Inference Server.
NVD Description
NVIDIA Triton Inference Server for Windows and Linux contains a vulnerability in the Python backend, where an attacker could cause a remote code execution by manipulating the model name parameter in the model control APIs. A successful exploit of this…
more
vulnerability might lead to remote code execution, denial of service, information disclosure, and data tampering.
Deeper analysisAI
CVE-2025-23316 is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) affecting NVIDIA Triton Inference Server on Windows and Linux platforms. The issue resides in the Python backend, where an attacker can manipulate the model name parameter in the model control APIs to enable remote code execution. This flaw is classified under CWE-78 (OS Command Injection) and was published on 2025-09-17.
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-impact privileges, potentially leading to remote code execution, denial of service, information disclosure, and data tampering on the affected server.
The official NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5691 provides further details on the vulnerability, including recommended mitigations and patches. Security practitioners should consult this advisory for deployment-specific remediation steps.
Details
- CWE(s)