Cyber Resilience

CVE-2025-58756

HighPublic PoCRCE

Published: 09 September 2025

Published
09 September 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0276 86.3th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58756 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Monai Medical Open Network For Ai. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Computer Vision; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-7 (Software, Firmware, and Information Integrity) and SI-10 (Information Input Validation).

Deeper analysis

MONAI, an AI toolkit for healthcare imaging, is affected by a deserialization vulnerability in all versions through 1.5.0. Although one code path in monai/bundle/scripts.py uses torch.load with weights_only=True, other locations that load checkpoints continue to accept untrusted serialized data, exposing users who resume training or import pre-trained models downloaded from external platforms.

An authenticated attacker can host or substitute a malicious checkpoint file; when a victim loads it, the deserialization triggers remote code execution, granting full control over the process and potentially the host system.

The referenced GitHub Security Advisory states that no fixed versions are available at the time of publication.

The issue is relevant to AI/ML pipelines that routinely load external checkpoints to reduce training cost, carries a CVSS score of 8.8, and shows a flat EPSS of 0.0276 with no material rise since disclosure.

EU & UK References

Vulnerability details

MONAI (Medical Open Network for AI) is an AI toolkit for health care imaging. In versions up to and including 1.5.0, in `model_dict = torch.load(full_path, map_location=torch.device(device), weights_only=True)` in monai/bundle/scripts.py , `weights_only=True` is loaded securely. However, insecure loading methods still exist…

more

elsewhere in the project, such as when loading checkpoints. This is a common practice when users want to reduce training time and costs by loading pre-trained models downloaded from other platforms. Loading a checkpoint containing malicious content can trigger a deserialization vulnerability, leading to code execution. As of time of publication, no known fixed versions are available.

CWE(s)

AI Security AnalysisAI

AI Category
Computer Vision
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1677 Poisoned Pipeline Execution Execution
Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process.
Why these techniques?

Unsafe deserialization vulnerability (torch.load without weights_only) enables arbitrary code execution via malicious checkpoints/pre-trained models, facilitating client-side exploitation (T1203), supply chain compromise through tainted models (T1195.002), and poisoned pipeline execution (T1677).

CVEs Like This One

CVE-2025-58757Same product: Monai Medical Open Network For Ai
CVE-2025-58755Same product: Monai Medical Open Network For Ai
CVE-2025-24357Shared CWE-502
CVE-2025-60036Shared CWE-502
CVE-2026-42471Shared CWE-502
CVE-2026-24216Shared CWE-502
CVE-2025-67729Shared CWE-502
CVE-2026-48207Shared CWE-502
CVE-2025-33252Shared CWE-502
CVE-2025-64512Shared CWE-502

Affected Assets

monai
medical open network for ai
≤ 1.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires integrity verification of checkpoint files prior to torch.load deserialization, directly preventing execution of malicious content in tampered PyTorch checkpoints.

prevent

Validates the format and content of externally downloaded checkpoint files before insecure deserialization, rejecting malformed inputs that could trigger code execution.

preventdetect

Scans checkpoint files from external platforms for malicious code prior to loading, eradicating threats that exploit insecure deserialization in MONAI.

References