CVE-2023-25668 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any TensorFlow deployment below 2.12.0 or 2.11.1 with a network-accessible inference endpoint is vulnerable to unauthenticated remote code execution — a worst-case CVSS 9.8 with a public PoC. Patch to TF 2.12.0 or 2.11.1 immediately; if patching is delayed even hours, place model serving behind an authenticating proxy and kill direct internet exposure. Inventory every TF instance across serving infrastructure, notebooks, and training clusters — shadow deployments are the real risk here.

Risk Assessment

Extreme. CVSS 9.8 with AV:N/AC:L/PR:N/UI:N represents the most dangerous exploit profile: remotely triggered, trivially repeatable, requiring zero authentication or user interaction. A public exploit commit is referenced in the advisory, reducing the skill bar to near zero. TensorFlow is pervasive across AI/ML stacks — internal serving endpoints, Jupyter environments, and MLOps pipelines are all in scope. Organizations exposing TF Serving directly to the internet are one crafted request away from full server compromise.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
tensorflow	pip	—	No patch
195.0K OpenSSF 7.2 3.7K dependents Pushed 6d ago 4% patched ~1372d to patch Full package profile →

Do you use tensorflow? You're affected.

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

1.5%

chance of exploitation in 30 days

Higher than 81% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

Patch immediately: upgrade TensorFlow to 2.12.0+ or apply the 2.11.1 cherry-pick (commit 7b174a0f2e40ff3f3aa957aecddfd5aaae35eccb).
Inventory: enumerate all TF versions in production serving, training clusters, CI/CD pipelines, and developer notebooks — pay special attention to pinned requirements.txt or conda envs.
Network hardening: ensure model serving APIs are behind API gateways with authentication; block direct internet exposure of ports 8500/8501 (TF Serving defaults).
Container isolation: run TF serving in sandboxed containers with no outbound network, drop capabilities, and read-only rootfs to constrain RCE blast radius.
Detection: alert on unexpected crashes, segmentation faults, or OOM kills in TF serving processes — these are early indicators of exploitation attempts.

CISA SSVC Assessment

Decision Track*

Exploitation none

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution DoS Framework Inference AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity for high-risk AI systems

ISO 42001

A.6.2.5 - Information security in AI system lifecycle

NIST AI RMF

MANAGE-2.2 - Mechanisms to sustain beneficial AI use while managing identified risks

OWASP LLM Top 10

LLM05:2025 - Insecure Plugin Design / Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2023-25668?

Any TensorFlow deployment below 2.12.0 or 2.11.1 with a network-accessible inference endpoint is vulnerable to unauthenticated remote code execution — a worst-case CVSS 9.8 with a public PoC. Patch to TF 2.12.0 or 2.11.1 immediately; if patching is delayed even hours, place model serving behind an authenticating proxy and kill direct internet exposure. Inventory every TF instance across serving infrastructure, notebooks, and training clusters — shadow deployments are the real risk here.

Is CVE-2023-25668 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-25668, increasing the risk of exploitation.

How to fix CVE-2023-25668?

1. Patch immediately: upgrade TensorFlow to 2.12.0+ or apply the 2.11.1 cherry-pick (commit 7b174a0f2e40ff3f3aa957aecddfd5aaae35eccb). 2. Inventory: enumerate all TF versions in production serving, training clusters, CI/CD pipelines, and developer notebooks — pay special attention to pinned requirements.txt or conda envs. 3. Network hardening: ensure model serving APIs are behind API gateways with authentication; block direct internet exposure of ports 8500/8501 (TF Serving defaults). 4. Container isolation: run TF serving in sandboxed containers with no outbound network, drop capabilities, and read-only rootfs to constrain RCE blast radius. 5. Detection: alert on unexpected crashes, segmentation faults, or OOM kills in TF serving processes — these are early indicators of exploitation attempts.

What systems are affected by CVE-2023-25668?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference APIs, training pipelines, MLOps platforms, Jupyter/notebook environments.

What is the CVSS score for CVE-2023-25668?

CVE-2023-25668 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 1.47%.

Technical Details

NVD Description

TensorFlow is an open source platform for machine learning. Attackers using Tensorflow prior to 2.12.0 or 2.11.1 can access heap memory which is not in the control of user, leading to a crash or remote code execution. The fix will be included in TensorFlow version 2.12.0 and will also cherrypick this commit on TensorFlow version 2.11.1.

Exploitation Scenario

Attacker scans for internet-facing TensorFlow Serving endpoints via Shodan (ports 8500/8501, gRPC/REST). Against a vulnerable instance, they send a crafted HTTP prediction request containing a malformed tensor with dimensions or data engineered to trigger the heap buffer overflow in a vulnerable TF operation kernel. On unpatched versions, this corrupts heap memory — either crashing the process (disrupting inference SLAs) or redirecting execution. With RCE, the attacker deploys a reverse shell, exfiltrates model weights and training data from mounted volumes, and queries the cloud metadata endpoint to harvest IAM credentials for lateral movement to S3 buckets, GCS, or Azure Blob containing proprietary data.