CVE-2025-27520 — CRITICAL (CVSS 9.8) AI Security Vulnerability

Q: Is CVE-2025-27520 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-27520, increasing the risk of exploitation.

Q: How to fix CVE-2025-27520?

1. IMMEDIATE: Upgrade all BentoML instances to v1.4.3 (pip install --upgrade bentoml==1.4.3). 2. If immediate patching is not possible, restrict network access to BentoML endpoints via firewall — whitelist only trusted IP ranges. 3. Audit process logs for anomalous child process spawns from the BentoML process and unexpected outbound connections. 4. Audit whether BentoML endpoints are inadvertently internet-exposed (default port 3000). 5. Post-patch, rotate all credentials accessible from the BentoML host: API keys, DB passwords, cloud IAM tokens, model registry credentials.

Q: What systems are affected by CVE-2025-27520?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, MLOps platforms, AI microservices, containerized ML deployments.

Q: What is the CVSS score for CVE-2025-27520?

CVE-2025-27520 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 80.95%.

CISO Take

Any BentoML deployment running v1.3.4–1.4.2 is fully compromised by a single unauthenticated HTTP request. With EPSS at 0.87, active exploitation is highly probable. Patch to v1.4.3 immediately; if patching is blocked, firewall all BentoML endpoints until the upgrade is complete.

Risk Assessment

CRITICAL. CVSS 9.8 with network-accessible, zero-auth RCE and no user interaction required. EPSS of 0.87 places this in the top percentile for likely active exploitation. BentoML serves ML models in production environments, making exposed instances high-value targets for model theft, credential harvesting, and lateral movement into broader ML infrastructure. Default port exposure and the prevalence of BentoML in cloud-hosted inference pipelines amplify the blast radius.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
bentoml	pip	—	No patch
8.6K OpenSSF 6.5 23 dependents Pushed 3d ago 50% patched ~14d to patch Full package profile →
bentoml	pip	>= 1.3.4, < 1.4.3	`1.4.3`
8.6K OpenSSF 6.5 23 dependents Pushed 3d ago 50% patched ~14d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

81.0%

chance of exploitation in 30 days

Higher than 99% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 81%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

5 steps

IMMEDIATE

Upgrade all BentoML instances to v1.4.3 (pip install --upgrade bentoml==1.4.3).
If immediate patching is not possible, restrict network access to BentoML endpoints via firewall — whitelist only trusted IP ranges.
Audit process logs for anomalous child process spawns from the BentoML process and unexpected outbound connections.
Audit whether BentoML endpoints are inadvertently internet-exposed (default port 3000).
Post-patch, rotate all credentials accessible from the BentoML host: API keys, DB passwords, cloud IAM tokens, model registry credentials.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework Inference AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment

NIST AI RMF

MANAGE 2.4 - Risk response mechanisms for AI systems

OWASP LLM Top 10

LLM05:2025 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-27520?

Any BentoML deployment running v1.3.4–1.4.2 is fully compromised by a single unauthenticated HTTP request. With EPSS at 0.87, active exploitation is highly probable. Patch to v1.4.3 immediately; if patching is blocked, firewall all BentoML endpoints until the upgrade is complete.

Is CVE-2025-27520 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-27520, increasing the risk of exploitation.

How to fix CVE-2025-27520?

1. IMMEDIATE: Upgrade all BentoML instances to v1.4.3 (pip install --upgrade bentoml==1.4.3). 2. If immediate patching is not possible, restrict network access to BentoML endpoints via firewall — whitelist only trusted IP ranges. 3. Audit process logs for anomalous child process spawns from the BentoML process and unexpected outbound connections. 4. Audit whether BentoML endpoints are inadvertently internet-exposed (default port 3000). 5. Post-patch, rotate all credentials accessible from the BentoML host: API keys, DB passwords, cloud IAM tokens, model registry credentials.

What systems are affected by CVE-2025-27520?

This vulnerability affects the following AI/ML architecture patterns: model serving, inference pipelines, MLOps platforms, AI microservices, containerized ML deployments.

What is the CVSS score for CVE-2025-27520?

CVE-2025-27520 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 80.95%.

Technical Details

NVD Description

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. A Remote Code Execution (RCE) vulnerability caused by insecure deserialization has been identified in the latest version (v1.4.2) of BentoML. It allows any unauthenticated user to execute arbitrary code on the server. It exists an unsafe code segment in serde.py. This vulnerability is fixed in 1.4.3.

Exploitation Scenario

An adversary scans for publicly exposed BentoML inference APIs (default port 3000). They craft a single HTTP POST request to any BentoML endpoint that triggers the unsafe deserialization path in serde.py, embedding a Python pickle payload that spawns a reverse shell. No authentication, no special headers, no prior knowledge of the model required. From the beachhead, they enumerate model artifacts, cloud credentials in environment variables, and connected data stores. Model weights and training datasets are exfiltrated before the compromise is detected — and in containerized deployments, they attempt container escape to reach the underlying host.