A critical remote code execution vulnerability has been identified in multiple products from the vendor "Tracking" that utilize the MLflow Tracking Server. This high-severity flaw, identified by a CVSS score of 8.1, allows an unauthenticated remote attacker to gain complete control over an affected server by exploiting a directory traversal weakness during the model creation process, potentially leading to data theft, service disruption, and further network compromise.

The vulnerability is a directory traversal flaw within the model creation function of the MLflow Tracking Server. A remote, unauthenticated attacker can send a specially crafted request to the server's model creation endpoint. By including directory traversal sequences (e.g., ../) in a parameter, such as the model name or an associated file path, the attacker can trick the application into writing a file outside of the intended storage directory. An attacker can leverage this to write a malicious file (e.g., a web shell or script) to a web-accessible or executable location on the server, leading to remote code execution with the privileges of the MLflow service account.

This is a high-severity vulnerability with a CVSS score of 8.1, posing a significant risk to the organization. Successful exploitation could lead to the complete compromise of the MLflow server, resulting in the theft of sensitive intellectual property, including proprietary machine learning models and training data. The attacker could disrupt critical MLOps pipelines, poison models, or use the compromised server as a pivot point to launch further attacks against the internal network. A breach of this nature could cause severe operational downtime, reputational damage, and potential regulatory penalties.

Immediate Action: Apply security patches immediately for all internet-facing systems running the vulnerable MLflow Tracking Server software. Prioritize these external systems before proceeding with patching internal instances. After patching, review access and error logs for any signs of past exploitation attempts.

Proactive Monitoring:

• Log Analysis: Scrutinize MLflow server and web server access logs for requests to model creation endpoints containing directory traversal strings like ../ or ..\\.
• File Integrity Monitoring (FIM): Implement or review FIM alerts for any unexpected file creation or modification in sensitive system directories, web server root directories, or temporary file locations.
• Network Monitoring: Monitor for unusual outbound network connections originating from MLflow servers, as this could indicate a successful compromise and communication with a command-and-control server.

Compensating Controls:

• Web Application Firewall (WAF): If immediate patching is not feasible, deploy a WAF with rules specifically designed to detect and block directory traversal attack patterns in HTTP requests.
• Network Segmentation: Restrict network access to the MLflow Tracking Server. Ensure it is only accessible from trusted IP ranges and application sources, and not directly exposed to the internet if possible.
• Principle of Least Privilege: Run the MLflow server process using a dedicated, low-privilege service account to limit the potential damage an attacker can inflict upon successful code execution.

Public Exploit Available: false

This vulnerability represents a critical risk to our MLOps infrastructure and intellectual property. Due to the high CVSS score of 8.1 and the direct path to remote code execution, we strongly recommend that all system owners identify vulnerable MLflow Tracking Server instances and apply the vendor-supplied patches on an emergency basis. All internet-facing systems must be prioritized for immediate remediation. Although this vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a likely candidate for future inclusion, reinforcing the need for swift and decisive action.