A critical remote code execution vulnerability exists in the Keras machine learning framework. An attacker can exploit this flaw by tricking a user or an automated system into loading a maliciously crafted model file, which could result in a complete compromise of the host system. Due to the high severity (CVSS 9.8), immediate patching is necessary to prevent potential data breaches, service disruption, and further network intrusion.

This vulnerability is an insecure deserialization of untrusted data. The Keras framework fails to properly sanitize user-supplied data when loading a .keras model file that utilizes the PyTorch backend. An attacker can craft a malicious model file containing a serialized PyTorch module (TorchModule) with an embedded payload. When a vulnerable version of Keras attempts to deserialize and load this model, the payload is executed with the permissions of the application, leading to remote code execution (RCE) on the target system.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation allows an unauthenticated attacker to execute arbitrary code on the server where the Keras model is being loaded. The business impact includes the potential for complete system compromise, leading to sensitive data exfiltration, deployment of ransomware, or the use of the compromised system as a pivot point for further attacks within the network. Any application or service that loads Keras models from potentially untrusted sources is at immediate risk of a full security breach.

Immediate Action: Update the affected Keras framework to the latest secure version (3.11.3 or later) as recommended by the vendor. After patching, monitor systems for any signs of post-exploitation activity, such as unusual processes or network connections, and review historical access logs for evidence of malicious file uploads.

Proactive Monitoring:

• Monitor application logs for errors or warnings related to model deserialization.
• Scrutinize system logs for suspicious child processes being spawned by the Python application responsible for loading Keras models (e.g., sh, bash, curl, powershell).
• Monitor outbound network traffic from application servers for connections to unusual IP addresses or domains, which could indicate a C2 channel.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Input Sanitization: Only allow model files to be loaded from trusted and verified internal sources. Do not process Keras models uploaded by external or unauthenticated users.
• Sandboxing: Run the model-loading process within a heavily restricted, containerized environment (e.g., Docker) with no network access and minimal file system permissions.
• Code Signing: Implement a process to cryptographically sign all legitimate models and verify the signature before loading them.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of remote code execution, this vulnerability poses a severe threat to the organization. We recommend that all systems running affected versions of the Keras framework be patched immediately. While this CVE is not currently listed on the CISA KEV list, its critical nature demands that it be treated with the highest priority. If patching cannot be performed immediately, the compensating controls outlined above, particularly sandboxing and restricting model sources, must be implemented without delay.