A critical vulnerability has been discovered in the NVIDIA Triton Inference Server, identified as CVE-2025-23317 with a CVSS score of 9.1. An unauthenticated attacker can send a specially crafted web request to a vulnerable server to gain full control via a reverse shell. A successful exploit could lead to complete system compromise, allowing for data theft, service disruption, and further attacks on the internal network.

The vulnerability exists within the HTTP server component of the NVIDIA Triton Inference Server. An attacker can exploit this flaw by sending a specially crafted HTTP request to the server's listening port. This request triggers a condition that allows for remote code execution (RCE), enabling the attacker to force the compromised server to initiate an outbound connection (a "reverse shell") back to an attacker-controlled machine, effectively bypassing perimeter firewalls.

This vulnerability is rated as critical severity with a CVSS score of 9.1. Successful exploitation grants an attacker remote control over the Triton Inference Server, leading to severe business consequences. These risks include the theft of proprietary machine learning models and sensitive data being processed, manipulation of AI model outputs to cause incorrect results, and complete denial of service. Furthermore, a compromised server can be used as a pivot point to launch further attacks against other critical systems within the organization's network, escalating the incident's impact.

Immediate Action: The primary remediation is to update the NVIDIA Triton Inference Server to the latest patched version as recommended by the vendor. After patching, administrators should closely monitor for any signs of exploitation attempts by reviewing server and network access logs for suspicious activity.

Proactive Monitoring: Organizations should monitor for unusual outbound network connections from Triton servers, especially to unknown IP addresses or ports, which could indicate a reverse shell. Review HTTP access logs for malformed or anomalous requests that do not align with standard API traffic. Monitor system processes for unexpected child processes spawned by the Triton server process.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Restrict network access to the Triton server's HTTP port using a firewall or network access control lists (ACLs), allowing connections only from trusted IP ranges.
• Deploy a Web Application Firewall (WAF) in front of the server to inspect and block malicious HTTP requests.
• Run the Triton Inference Server process with the lowest possible user privileges to limit an attacker's capabilities if the system is compromised.

Public Exploit Available: false

Given the critical severity (CVSS 9.1) and the risk of complete system compromise, it is imperative that organizations identify all vulnerable instances of NVIDIA Triton Inference Server and apply the vendor-supplied patches immediately. This vulnerability represents a significant threat to confidentiality, integrity, and availability. While it is not yet on the CISA KEV list, its high impact makes it a prime target for future exploitation. If patching cannot be performed immediately, the compensating controls listed above must be implemented as a matter of urgency.