How can organizations protect their AI/ML platforms from similar vulnerabilities?

Organizations should implement strict input validation, regularly update and patch their software, conduct thorough security audits, and monitor for unusual activity to protect against similar vulnerabilities.

Critical Vulnerabilities in AI/ML Platforms: Lessons from the 2025 Security Breach

Discover how critical vulnerabilities in popular AI/ML libraries exposed platforms to remote code execution risks in 2025, and learn strategies to safeguard your infrastructure.

Published: March 10, 2026

Share this on:

Executive Summary

In mid-2025, a significant security vulnerability was discovered in three widely used open-source Python libraries—NeMo (by NVIDIA), Uni2TS (by Salesforce), and FlexTok (by Apple)—which are integral to various AI and ML platforms. These libraries, collectively downloaded over 10 million times via the HuggingFace platform, were found to execute arbitrary code embedded within model metadata, making them susceptible to remote code execution if exploited by attackers. The vulnerabilities were identified in April 2025 and resolved by July 2025, with corresponding CVEs assigned and severity scores ranging from 7.8 to 9.8 out of 10. As of December 2025, there have been no indications of these flaws being exploited in the wild. (techradar.com)

This incident underscores the critical importance of securing AI and ML infrastructure, especially as these technologies become increasingly integrated into business operations. The rapid adoption of AI tools without adequate security measures can expose organizations to significant risks, including data breaches and unauthorized access. It highlights the necessity for continuous monitoring, timely patching, and the implementation of robust security protocols to safeguard against emerging threats in the AI landscape.

Why This Matters Now

The rapid integration of AI and ML tools into business operations, coupled with the discovery of critical vulnerabilities in widely used libraries, underscores the urgent need for robust security measures to protect against potential exploits and data breaches.

Attack Path Analysis

An attacker exploited a machine learning platform's model deployment feature to achieve remote code execution, then escalated privileges to access internal services, moved laterally within the network, established command and control channels, exfiltrated sensitive data, and ultimately disrupted operations.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Medium

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

Medium

Impact

Medium

Initial Compromise

Description

The attacker exploited the ML platform's model deployment feature by uploading a malicious model, achieving remote code execution within the platform's infrastructure.

Confidence:

High

MITRE ATT&CK® Techniques

Initial Access

T1078

Valid Accounts

Execution

T1203

Exploitation for Client Execution

Execution

T1059

Command and Scripting Interpreter

Persistence

T1574

Hijack Execution Flow

Discovery

T1046

Network Service Discovery

Lateral Movement

T1021

Remote Services

Defense Evasion

T1562

Impair Defenses

Command and Control

T1071

Application Layer Protocol

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Separation of Duties

Control ID: 6.4.1

The incident revealed inadequate separation of duties within the AI platform, allowing users to deploy code that could execute on the provider's infrastructure, violating the principle of least privilege.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The breach indicates a lack of comprehensive cybersecurity policies addressing the unique risks associated with AI and machine learning platforms, as required by NYDFS regulations.

DORA – ICT Risk Management Framework

Control ID: Article 5

The incident highlights deficiencies in the ICT risk management framework, particularly in identifying and mitigating risks related to AI infrastructure, as mandated by DORA.

CISA ZTMM 2.0 – Network Segmentation

Control ID: 3.1

The attack exploited weak network segmentation, allowing unauthorized access to internal services, contravening the zero trust principle of strict network segmentation.

NIS2 Directive – Security Measures

Control ID: Article 21

The breach demonstrates insufficient implementation of appropriate technical and organizational measures to manage risks posed to the security of network and information systems, as required by the NIS2 Directive.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

AI/ML platform exploitation enables remote code execution through malicious model deployment, compromising software development infrastructure and creating unauthorized access to internal networks.

Information Technology/IT

MLOps platforms with weak segmentation allow attackers to establish C2 infrastructure from trial accounts, bypassing traditional security controls and accessing sensitive IT resources.

Financial Services

AI platform vulnerabilities threaten fraud detection systems and recommendation engines, with potential for data exfiltration from internal databases violating HIPAA and PCI compliance requirements.

Computer/Network Security

Security providers using AI platforms face elevated risks as attackers exploit model execution capabilities to bypass detection systems and establish persistent network access.

Sources

Beyond Prompt Injection: The Hidden AI Security Threats in Machine Learning Platformshttps://www.praetorian.com/blog/hidden-ai-security-threats-in-machine-learning-platforms/
Verified

MITRE ATLAS OpenClaw Investigationhttps://www.mitre.org/sites/default/files/2026-02/PR-26-00176-1-MITRE-ATLAS-OpenClaw-Investigation.pdf

Verified

SAFE-AI Reporthttps://atlas.mitre.org/pdf-files/SAFEAI_Full_Report.pdf

Verified

Frequently Asked Questions

The vulnerabilities stemmed from the libraries using metadata to configure complex models and pipelines, where a shared third-party library instantiated classes using this metadata without proper input sanitization, allowing execution of arbitrary code.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to exploit the ML platform, limiting lateral movement and data exfiltration.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to execute unauthorized code within the ML platform's infrastructure would likely be constrained, reducing the risk of initial compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges and access internal services would likely be constrained, reducing the scope of unauthorized access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the risk of further internal compromise.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish and maintain command and control channels would likely be constrained, reducing the risk of persistent access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive data to external locations would likely be constrained, reducing the risk of data loss.

Impact (Mitigations)

The attacker's ability to disrupt operations and compromise system integrity would likely be constrained, reducing the overall impact of the attack.

Impact at a Glance

Affected Business Functions

AI Model Deployment
Cloud Infrastructure Management
Internal Network Security

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential access to internal services, databases, and resources due to weak network segmentation.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
• Enhance East-West Traffic Security to monitor and control internal communications, reducing the risk of privilege escalation.
• Deploy Egress Security & Policy Enforcement to restrict unauthorized outbound traffic and prevent data exfiltration.
• Utilize Multicloud Visibility & Control to gain comprehensive insights into network traffic and detect anomalous behaviors.
• Establish a Threat Detection & Anomaly Response program to proactively identify and respond to potential threats within the ML platform.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Vulnerabilities in AI/ML Platforms: Lessons from the 2025 Security Breach

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Valid Accounts

Exploitation for Client Execution

Command and Scripting Interpreter

Hijack Execution Flow

Network Service Discovery

Remote Services

Impair Defenses

Application Layer Protocol

Potential Compliance Exposure

PCI DSS 4.0 – Separation of Duties

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Network Segmentation

NIS2 Directive – Security Measures

Sector Implications

Computer Software/Engineering

Information Technology/IT

Financial Services

Computer/Network Security

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads