CVE-2023-25668: TensorFlow unauthenticated RCE

CISO Take

Any TensorFlow deployment below 2.12.0 or 2.11.1 with a network-accessible inference endpoint is vulnerable to unauthenticated remote code execution — a worst-case CVSS 9.8 with a public PoC. Patch to TF 2.12.0 or 2.11.1 immediately; if patching is delayed even hours, place model serving behind an authenticating proxy and kill direct internet exposure. Inventory every TF instance across serving infrastructure, notebooks, and training clusters — shadow deployments are the real risk here.

What is the risk?

Extreme. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N represents the most dangerous exploit profile: remotely triggered, trivially repeatable, requiring zero authentication or user interaction. A public exploit commit is referenced in the advisory, reducing the skill bar to near zero. TensorFlow is pervasive across AI/ML stacks — internal serving endpoints, Jupyter environments, and MLOps pipelines are all in scope. Organizations exposing TF Serving directly to the internet are one crafted request away from full server compromise.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
TensorFlow	pip	—	No patch
195.8K OpenSSF 7.1 3.7K dependents Pushed 2d ago 4% patched ~1372d to patch Full package profile →

Do you use TensorFlow? You're affected.

How severe is it?

CVSS 3.1

9.8 / 10

EPSS

0.8%

chance of exploitation in 30 days

Higher than 53% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch immediately: upgrade TensorFlow to 2.12.0+ or apply the 2.11.1 cherry-pick (commit 7b174a0f2e40ff3f3aa957aecddfd5aaae35eccb).
Inventory: enumerate all TF versions in production serving, training clusters, CI/CD pipelines, and developer notebooks — pay special attention to pinned requirements.txt or conda envs.
Network hardening: ensure model serving APIs are behind API gateways with authentication; block direct internet exposure of ports 8500/8501 (TF Serving defaults).
Container isolation: run TF serving in sandboxed containers with no outbound network, drop capabilities, and read-only rootfs to constrain RCE blast radius.
Detection: alert on unexpected crashes, segmentation faults, or OOM kills in TF serving processes — these are early indicators of exploitation attempts.

What does CISA's SSVC say?

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution DoS Framework Inference AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

A.6.2.5 - Information security in AI system lifecycle

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain beneficial AI use while managing identified risks

OWASP LLM Top 10

LLM05:2025 - Insecure Plugin Design / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-25668?

Any TensorFlow deployment below 2.12.0 or 2.11.1 with a network-accessible inference endpoint is vulnerable to unauthenticated remote code execution — a worst-case CVSS 9.8 with a public PoC. Patch to TF 2.12.0 or 2.11.1 immediately; if patching is delayed even hours, place model serving behind an authenticating proxy and kill direct internet exposure. Inventory every TF instance across serving infrastructure, notebooks, and training clusters — shadow deployments are the real risk here.

Is CVE-2023-25668 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-25668, increasing the risk of exploitation.

How to fix CVE-2023-25668?

1. Patch immediately: upgrade TensorFlow to 2.12.0+ or apply the 2.11.1 cherry-pick (commit 7b174a0f2e40ff3f3aa957aecddfd5aaae35eccb). 2. Inventory: enumerate all TF versions in production serving, training clusters, CI/CD pipelines, and developer notebooks — pay special attention to pinned requirements.txt or conda envs. 3. Network hardening: ensure model serving APIs are behind API gateways with authentication; block direct internet exposure of ports 8500/8501 (TF Serving defaults). 4. Container isolation: run TF serving in sandboxed containers with no outbound network, drop capabilities, and read-only rootfs to constrain RCE blast radius. 5. Detection: alert on unexpected crashes, segmentation faults, or OOM kills in TF serving processes — these are early indicators of exploitation attempts.

What systems are affected by CVE-2023-25668?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, MLOps platforms, Jupyter/notebook environments.

What is the CVSS score for CVE-2023-25668?

CVE-2023-25668 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 0.83%.

What is the AI security impact?

Affected AI Architectures

model servinginference APIstraining pipelinesMLOps platformsJupyter/notebook environments

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0025 Exfiltration via Cyber Means

AML.T0035 AI Artifact Collection

AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.5

NIST AI RMF: MANAGE-2.2

OWASP LLM Top 10: LLM05:2025

What are the technical details?

Original Advisory

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Exploitation Scenario

Attacker scans for internet-facing TensorFlow Serving endpoints via Shodan (ports 8500/8501, gRPC/REST). Against a vulnerable instance, they send a crafted HTTP prediction request containing a malformed tensor with dimensions or data engineered to trigger the heap buffer overflow in a vulnerable TF operation kernel. On unpatched versions, this corrupts heap memory — either crashing the process (disrupting inference SLAs) or redirecting execution. With RCE, the attacker deploys a reverse shell, exfiltrates model weights and training data from mounted volumes, and queries the cloud metadata endpoint to harvest IAM credentials for lateral movement to S3 buckets, GCS, or Azure Blob containing proprietary data.

Weaknesses (CWE)

CWE-122 Heap-based Buffer Overflow CWE-125 Out-of-bounds Read

CWE-122 — Heap-based Buffer Overflow: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Pre-design: Use a language or compiler that performs automatic bounds checking.
[Architecture and Design] Use an abstraction library to abstract away risky APIs. Not a complete solution.

Source: MITRE CWE corpus.