CVE-2024-21799 — HIGH (CVSS 7.1) AI Security Vulnerability

CISO Take

Intel Extension for Transformers before v1.5 allows any authenticated local user to escalate privileges via path traversal—a trivial exploit on shared ML infrastructure like GPU clusters. Upgrade to v1.5+ immediately and audit who has shell access to systems running this library. The real risk is the blast radius: a compromised data scientist account becomes a root foothold on your ML training infrastructure.

Risk Assessment

Medium-high risk for organizations operating shared ML compute environments. CVSS 7.1 with local attack vector, low complexity, and low privilege requirement means any user account on an affected system is a potential escalation vector. Not in CISA KEV and no confirmed public exploits, but the technique is textbook—no AI expertise required. Highest exposure in multi-tenant GPU clusters, MLOps platforms, and CI/CD pipelines where multiple users share the same compute nodes. Impact scores (I:H, A:H) reflect potential for full system compromise or destruction of ML artifacts.

Severity & Risk

CVSS 3.1

7.1 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 18% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C None

I High

A High

Recommended Action

1 step

1) Patch: Upgrade Intel Extension for Transformers to v1.5+. Verify with: pip show intel-extension-for-transformers. 2) Inventory: Scan all ML servers, training nodes, and inference hosts—run: pip list --format=columns | grep intel-extension across your fleet. 3) Access control: Until patched, restrict local shell access on ML infrastructure to minimum required users; enforce SSH key-based auth only. 4) File integrity monitoring: Deploy FIM on critical directories (/etc, /root, model artifact paths) and alert on writes from Python/ML processes. 5) Container enforcement: For containerized ML workloads, enforce read-only mounts on system directories and drop DAC_OVERRIDE capabilities. 6) Secrets audit: Post-patch, rotate any credentials that may have been accessible on affected systems.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0035 - AI Artifact Collection AML.T0037 - Data from Local System

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

Clause 6.1 - Actions to address risks and opportunities

NIST AI RMF

MANAGE 3.1 - Risks and mitigations are identified and prioritized

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-21799?

Intel Extension for Transformers before v1.5 allows any authenticated local user to escalate privileges via path traversal—a trivial exploit on shared ML infrastructure like GPU clusters. Upgrade to v1.5+ immediately and audit who has shell access to systems running this library. The real risk is the blast radius: a compromised data scientist account becomes a root foothold on your ML training infrastructure.

Is CVE-2024-21799 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-21799, increasing the risk of exploitation.

How to fix CVE-2024-21799?

1) Patch: Upgrade Intel Extension for Transformers to v1.5+. Verify with: pip show intel-extension-for-transformers. 2) Inventory: Scan all ML servers, training nodes, and inference hosts—run: pip list --format=columns | grep intel-extension across your fleet. 3) Access control: Until patched, restrict local shell access on ML infrastructure to minimum required users; enforce SSH key-based auth only. 4) File integrity monitoring: Deploy FIM on critical directories (/etc, /root, model artifact paths) and alert on writes from Python/ML processes. 5) Container enforcement: For containerized ML workloads, enforce read-only mounts on system directories and drop DAC_OVERRIDE capabilities. 6) Secrets audit: Post-patch, rotate any credentials that may have been accessible on affected systems.

What systems are affected by CVE-2024-21799?

This vulnerability affects the following AI/ML architecture patterns: training pipelines, model serving, ML development environments, shared GPU clusters, MLOps platforms.

What is the CVSS score for CVE-2024-21799?

CVE-2024-21799 has a CVSS v3.1 base score of 7.1 (HIGH). The EPSS exploitation probability is 0.06%.

Technical Details

NVD Description

Path traversal for some Intel(R) Extension for Transformers software before version 1.5 may allow an authenticated user to potentially enable escalation of privilege via local access.

Exploitation Scenario

An attacker with a low-privileged account on a shared GPU training cluster—say, a compromised data scientist credential—calls a vulnerable file operation in Intel Extension for Transformers with a crafted path such as '../../root/.ssh/authorized_keys'. The library writes attacker-controlled content to the root SSH authorized_keys file, granting the attacker persistent root SSH access. From there, the attacker has unrestricted access to all model weights, training datasets, API keys stored in .env files, and the ability to poison models or exfiltrate proprietary IP. The entire operation requires no GPU, no ML knowledge, and no exploit tooling beyond a basic path traversal string.