Executive Summary
In 2025, a significant AI model extraction attack was identified, where adversaries systematically queried a proprietary machine learning model's API to replicate its functionality. By sending carefully crafted inputs and analyzing the outputs, attackers reconstructed a substitute model that closely mirrored the original's behavior. This breach exposed the model's intellectual property, leading to potential competitive disadvantages and financial losses for the organization. The incident underscores the vulnerabilities inherent in exposing AI models through APIs without adequate security measures. (techtarget.com)
The rise of such model extraction attacks highlights the urgent need for organizations to implement robust defenses, including rate limiting, output perturbation, and behavioral monitoring, to protect their AI assets from unauthorized replication and misuse. (snyk.io)
Why This Matters Now
As AI models become integral to business operations, the threat of model extraction attacks poses significant risks to intellectual property and competitive advantage. Organizations must prioritize securing their AI systems to prevent unauthorized replication and potential misuse.
Attack Path Analysis
An adversary exploited unrestricted access to a machine learning model's API to systematically query the model, collecting input-output pairs. Using this data, they trained a substitute model that closely mimicked the original's behavior. The attacker then utilized this replica model to develop adversarial inputs, potentially compromising the integrity of the original system.
Kill Chain Progression
Initial Compromise
Description
The adversary gained access to the machine learning model's API, which lacked proper access controls, allowing unrestricted querying.
Related CVEs
CVE-2025-12058
CVSS 5.9A vulnerability in Keras models allows arbitrary file access and server-side request forgery (SSRF) due to improper handling of model imports.
Affected Products:
Keras Keras – All versions prior to the fix
Exploit Status:
proof of conceptCVE-2024-6868
CVSS 9.8mudler/LocalAI version 2.17.1 allows for arbitrary file write due to improper handling of automatic archive extraction, leading to potential remote code execution.
Affected Products:
mudler LocalAI – 2.17.1
Exploit Status:
no public exploitCVE-2021-41127
CVSS 7.1Rasa versions prior to 2.8.10 contain a Zip Slip vulnerability in model loading functionality, allowing potential arbitrary write within specific directories.
Affected Products:
Rasa Rasa – < 2.8.10
Exploit Status:
no public exploitCVE-2023-48299
CVSS 5.3TorchServe versions 0.1.0 to 0.9.0 contain a Zip Slip vulnerability in the model/workflow management API, allowing extraction of harmful archives to any location on the filesystem.
Affected Products:
TorchServe TorchServe – 0.1.0 to 0.9.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Obtain Capabilities: Artificial Intelligence
Application Layer Protocol: Web Protocols
Brute Force: Password Spraying
Remote Services: Remote Desktop Protocol
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure that security policies and operational procedures for managing vulnerabilities are documented, in use, and known to all affected parties.
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement robust authentication and authorization mechanisms.
Control ID: Identity Pillar: Authentication and Authorization
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI model extraction attacks threaten proprietary ML models exposed via APIs, enabling intellectual property theft and competitive disadvantage through behavioral replication techniques.
Health Care / Life Sciences
Medical imaging and diagnostic ML models face extraction risks, potentially compromising patient data privacy and enabling unauthorized replication of specialized healthcare AI systems.
Financial Services
Fraud detection and risk assessment models vulnerable to extraction attacks, allowing adversaries to understand decision boundaries and develop evasion techniques against financial controls.
Computer/Network Security
Security ML models protecting against threats become targets themselves, with extracted models revealing detection capabilities and enabling adversaries to craft targeted attack payloads.
Sources
- Stealing AI Models Through the API: A Practical Model Extraction Attackhttps://www.praetorian.com/blog/stealing-ai-models-through-the-api-a-practical-model-extraction-attack/Verified
- Zscaler Discovers Vulnerability in Keras Models Allowing Arbitrary File Access and SSRF (CVE-2025-12058)https://www.zscaler.com/blogs/security-research/zscaler-discovers-vulnerability-keras-models-allowing-arbitrary-file-accessVerified
- NVD - CVE-2024-6868https://nvd.nist.gov/vuln/detail/CVE-2024-6868Verified
- CVE-2021-41127 Impact, Exploitability, and Mitigation Steps | Wizhttps://www.wiz.io/vulnerability-database/cve/cve-2021-41127Verified
- CVE-2023-48299 Impact, Exploitability, and Mitigation Steps | Wizhttps://www.wiz.io/vulnerability-database/cve/cve-2023-48299Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have restricted unauthorized access to the machine learning model's API, thereby limiting the attacker's ability to extract data and develop adversarial inputs.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Implementing Aviatrix CNSF would likely have restricted unauthorized access to the API, thereby preventing the adversary from initiating unrestricted queries.
Control: Zero Trust Segmentation
Mitigation: With Zero Trust Segmentation, the attacker's ability to escalate privileges by sending crafted inputs would likely have been constrained.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security would likely have restricted the attacker's ability to move laterally and access other resources to train a substitute model.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control would likely have detected and restricted unauthorized communications between the replica model and the original system.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement would likely have prevented the exfiltration of sensitive data by controlling outbound traffic.
While prior controls would likely have mitigated earlier stages, the residual risk includes potential exposure of proprietary algorithms and data.
Impact at a Glance
Affected Business Functions
- AI Model Development
- API Services
- Intellectual Property Management
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of proprietary AI model architectures and training data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict access controls and authentication mechanisms for all machine learning model APIs to prevent unauthorized access.
- • Monitor and limit the rate of API queries to detect and mitigate potential model extraction attempts.
- • Utilize output perturbation techniques to reduce the information disclosed in model responses, thereby hindering adversarial learning.
- • Regularly audit and monitor API usage patterns to identify and respond to anomalous behaviors indicative of model extraction.
- • Apply data loss prevention (DLP) measures to detect and prevent unauthorized exfiltration of sensitive data through model APIs.
