A critical vulnerability chain has been discovered in NVIDIA’s Triton Inference Server that enables unauthenticated remote code execution (RCE), allowing attackers to gain full control over AI infrastructure. Tracked as CVE-2025-23319, CVE-2025-23320, and CVE-2025-23334, the vulnerability affects Triton’s widely-used Python backend, which is integral to serving AI models written in Python and also acts as a dependency for other backends. Exploiting this chain could result in theft of proprietary AI models, exposure of sensitive data, manipulation of AI outputs, and provide adversaries with a foothold for lateral movement within enterprise networks.

The attack unfolds in a sophisticated three-step process involving Inter-Process Communication (IPC) via shared memory regions in /dev/shm/. In the first stage, attackers craft large, malformed requests that cause backend exceptions, triggering error messages that leak internal shared memory names (e.g., triton_python_backend_shm_region_...). These leaked memory keys provide a foothold for the second stage, where attackers abuse Triton’s user-exposed shared memory API to register internal shared memory regions without proper validation checks, gaining unauthorized read/write access to the backend's private memory.

The final step leverages this access to manipulate internal memory structures. By corrupting elements such as MemoryShm and SendMessageBase, attackers can perform out-of-bounds memory operations and craft malicious IPC messages that achieve full remote code execution within the AI server environment. This gives threat actors complete control over the server, including the ability to exfiltrate data, alter AI behavior, and pivot to other networked resources, making this a high-severity chain of vulnerabilities.

Wiz Research, which identified and responsibly disclosed the flaws, notes that organizations using Triton are at immediate risk and must apply the patches released by NVIDIA in version 25.07 of the Triton Inference Server. Since the vulnerability impacts both the main server and the Python backend, a comprehensive update across all affected components is essential. Wiz customers can leverage tailored detection queries through the Vulnerability Findings page and Security Graph to locate exposed assets across containers, serverless functions, and virtual machines. Given the scale at which Triton is deployed in AI/ML workflows, failure to patch promptly could have widespread security and operational implications.