CVE-2023-6015 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

Any internet-exposed MLflow instance is at critical risk. An unauthenticated attacker can write arbitrary files to the server without credentials, potentially overwriting model artifacts, injecting malicious payloads, or poisoning training pipelines. Restrict MLflow network access to internal networks immediately and apply available patches — this should never be internet-facing.

Risk Assessment

Effectively critical in real-world deployments despite CVSS 7.5. Zero-auth requirement combined with network accessibility and trivial exploitation creates maximum blast radius in ML environments, which historically lack network segmentation. MLflow instances are commonly deployed with default configurations and direct artifact store access, making lateral movement into the broader ML pipeline straightforward post-exploitation.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
mlflow	pip	—	No patch
25.8K OpenSSF 4.5 624 dependents Pushed today 24% patched ~64d to patch Full package profile →

Do you use mlflow? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

0.8%

chance of exploitation in 30 days

Higher than 74% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I None

A None

Recommended Action

7 steps

Apply MLflow patch (versions released after 2023-11-16 address this).
If unpatched, immediately firewall MLflow port (default 5000/5001) to trusted CIDR ranges only.
Deploy MLflow behind an authenticating reverse proxy (OAuth2/OIDC or mTLS).
Audit artifact store for unexpected files — compare checksums against known-good baseline.
Enable file integrity monitoring on MLflow artifact directories and alert on unexpected writes.
If previously internet-exposed, treat as compromised: rotate all credentials, audit model artifacts for tampering, re-train from verified data snapshots.
Scan artifact store for deserialization risks (.pkl, .joblib files) that may have been replaced.

Classification

Supply Chain Code Execution Model Poisoning Framework Model Training Data AML.T0010.001 - AI Software AML.T0018 - Manipulate AI Model AML.T0018.000 - Poison AI Model AML.T0020 - Poison Training Data AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system operation and monitoring

NIST AI RMF

GOVERN-1.7 - Processes for AI risk identification and management MANAGE-2.2 - Mechanisms to sustain value of deployed AI systems

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities LLM04:2025 - Data and Model Poisoning

Frequently Asked Questions

What is CVE-2023-6015?

Any internet-exposed MLflow instance is at critical risk. An unauthenticated attacker can write arbitrary files to the server without credentials, potentially overwriting model artifacts, injecting malicious payloads, or poisoning training pipelines. Restrict MLflow network access to internal networks immediately and apply available patches — this should never be internet-facing.

Is CVE-2023-6015 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2023-6015, increasing the risk of exploitation.

How to fix CVE-2023-6015?

1. Apply MLflow patch (versions released after 2023-11-16 address this). 2. If unpatched, immediately firewall MLflow port (default 5000/5001) to trusted CIDR ranges only. 3. Deploy MLflow behind an authenticating reverse proxy (OAuth2/OIDC or mTLS). 4. Audit artifact store for unexpected files — compare checksums against known-good baseline. 5. Enable file integrity monitoring on MLflow artifact directories and alert on unexpected writes. 6. If previously internet-exposed, treat as compromised: rotate all credentials, audit model artifacts for tampering, re-train from verified data snapshots. 7. Scan artifact store for deserialization risks (.pkl, .joblib files) that may have been replaced.

What systems are affected by CVE-2023-6015?

This vulnerability affects the following AI/ML architecture patterns: MLOps platforms, model registry, training pipelines, experiment tracking systems, model serving, ML CI/CD pipelines.

What is the CVSS score for CVE-2023-6015?

CVE-2023-6015 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.77%.

Technical Details

NVD Description

MLflow allowed arbitrary files to be PUT onto the server.

Exploitation Scenario

Attacker discovers an exposed MLflow instance via Shodan or a public IP scan on port 5000. With a single unauthenticated HTTP PUT request using a path traversal payload in the artifact URI (e.g., ../../app/model.py), they write a malicious Python file to the server filesystem. When the next scheduled training job or CI/CD pipeline loads a 'model' from the artifact store, the malicious file executes with the ML worker's privileges — granting persistent foothold in the ML infrastructure. Alternatively, attacker replaces a legitimate serialized model (.pkl) with a maliciously pickled object that executes arbitrary code upon model.load() calls in any downstream inference service.