A high-severity vulnerability has been discovered in Keras version 3, which could allow an unauthenticated attacker to execute arbitrary code. Exploitation occurs when a victim loads a specially crafted, malicious machine learning model file, potentially leading to a complete system compromise, data theft, or service disruption. Organizations using the affected Keras library are urged to apply security updates immediately to mitigate this significant risk.

The vulnerability is a remote code execution (RCE) flaw stemming from unsafe deserialization when loading certain model formats. An attacker can create a malicious model file containing embedded arbitrary commands. When an application using the vulnerable Keras library loads this malicious file, the embedded commands are executed on the underlying server with the privileges of the running application, leading to a full system compromise.

This vulnerability is rated as High severity with a CVSS score of 8. Successful exploitation could have a severe impact on the business, allowing an attacker to take full control of the affected server. This could lead to the theft of sensitive data, including proprietary training datasets and intellectual property, disruption of critical AI/ML services, or the use of the compromised system as a pivot point for further attacks within the network. The potential consequences include significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: Apply vendor security updates immediately to all systems running the affected Keras library. Prioritize patching for internet-facing systems or critical servers responsible for model training and inference. After patching, monitor for any signs of exploitation attempts and review historical access logs for suspicious model-loading activities.

Proactive Monitoring: Monitor for anomalous behavior on application servers, such as unexpected child processes being spawned by the Python application (e.g., bash, powershell.exe, curl). Scrutinize network traffic for outbound connections to unusual IP addresses or ports. Implement logging and alerting for errors or exceptions generated during the model loading process.

Compensating Controls: If immediate patching is not feasible, implement compensating controls. Run the Keras application in a restricted, containerized, or sandboxed environment with strict egress filtering to limit an attacker's ability to communicate outbound. Enforce a strict policy of only loading machine learning models from trusted, verified, and internally-audited sources.

Public Exploit Available: false

Given the high-severity rating (CVSS 8) of this remote code execution vulnerability, we strongly recommend that organizations prioritize the immediate application of vendor-supplied patches to all affected systems. Although this vulnerability is not currently listed in the CISA KEV catalog and has no known public exploits, the potential for complete system compromise presents a significant risk. Organizations should treat this as a critical priority and implement the recommended remediation and monitoring actions without delay.