NVIDIA Megatron LM Vulnerability Let Attackers Inject Malicious Code
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Critical security vulnerabilities in NVIDIA Megatron LM large language model framework that could allow attackers to inject malicious code and gain unauthorized system access.
The company released emergency security patches on June 24, 2025, addressing two high-severity vulnerabilities that affect all versions of the popular AI training platform prior to version 0.12.0.
Summary 1. Two high-severity code injection flaws (CVE-2025-23264, CVE-2025-23265) with CVSS 7.8 scores affect all Megatron LM versions before 0.12.0. 2. Exploitation enables code execution, privilege escalation, data access, and AI model tampering through malicious file injection. 3. Local system access with low privileges needed to exploit vulnerabilities via specially crafted files. 4. Immediate upgrade to Megatron LM version 0.12.1+ from NVIDIA's GitHub repository.
Overview of Code Injection Vulnerabilities
Two significant security flaws have been identified in NVIDIA’s Megatron LM framework, designated as CVE-2025-23264 and CVE-2025-23265.
Both vulnerabilities stem from code injection weaknesses in Python components within the framework, classified under CWE-94 (Code Injection) in the Common Weakness Enumeration system.
The vulnerabilities carry a CVSS v3.1 base score of 7.8, marking them as high-severity threats.
Security researchers Yu Rong and Hao Fan are credited with discovering and reporting these critical flaws to NVIDIA’s Product Security Incident Response Team (PSIRT).
These vulnerabilities represent a significant risk to organizations utilizing NVIDIA’s framework for large-scale language model training and inference.
The potential for code execution through malicious file injection could compromise entire AI infrastructure deployments.
The attack vector for both vulnerabilities follows the pattern AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with low attack complexity and low privileges required.
Attackers can exploit these vulnerabilities by providing specially crafted malicious files to the Megatron LM system.
Upon successful exploitation, attackers could achieve multiple severe impacts, including code execution, escalation of privileges, information disclosure, and data tampering.
CVEs Affected Products Impact Exploit Prerequisites CVSS 3.1 Score CVE-2025-23264 CVE-2025-23265NVIDIA Megatron-LM (All platforms)Code execution, escalation of privileges, information disclosure, data tamperingLocal access, low attack complexity, low privileges required, no user interaction needed7.8 (High)
Mitigations
NVIDIA strongly recommends that all Megatron LM users immediately update to version 0.12.1 or later, available through the official GitHub repository.
Organizations should prioritize this update due to the high-severity nature of these vulnerabilities.
The security update addresses both CVE-2025-23264 and CVE-2025-23265 simultaneously. Users running earlier software branch releases should upgrade to the latest branch release to ensure comprehensive protection.
NVIDIA emphasizes that their risk assessment represents an average across diverse installations, and individual organizations should evaluate risks specific to their configurations.
Organizations should also review their access controls and file handling procedures while implementing these updates to minimize potential attack surfaces.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
NVIDIA Megatron LM Vulnerability Let Attackers Inject Malicious Code
Author: KaaviyaCritical security vulnerabilities in NVIDIA Megatron LM large language model framework that could allow attackers to inject malicious code and gain unauthorized system access.
The company released emergency security patches on June 24, 2025, addressing two high-severity vulnerabilities that affect all versions of the popular AI training platform prior to version 0.12.0.
Summary 1. Two high-severity code injection flaws (CVE-2025-23264, CVE-2025-23265) with CVSS 7.8 scores affect all Megatron LM versions before 0.12.0. 2. Exploitation enables code execution, privilege escalation, data access, and AI model tampering through malicious file injection. 3. Local system access with low privileges needed to exploit vulnerabilities via specially crafted files. 4. Immediate upgrade to Megatron LM version 0.12.1+ from NVIDIA's GitHub repository.
Overview of Code Injection Vulnerabilities
Two significant security flaws have been identified in NVIDIA’s Megatron LM framework, designated as CVE-2025-23264 and CVE-2025-23265.
Both vulnerabilities stem from code injection weaknesses in Python components within the framework, classified under CWE-94 (Code Injection) in the Common Weakness Enumeration system.
The vulnerabilities carry a CVSS v3.1 base score of 7.8, marking them as high-severity threats.
Security researchers Yu Rong and Hao Fan are credited with discovering and reporting these critical flaws to NVIDIA’s Product Security Incident Response Team (PSIRT).
These vulnerabilities represent a significant risk to organizations utilizing NVIDIA’s framework for large-scale language model training and inference.
The potential for code execution through malicious file injection could compromise entire AI infrastructure deployments.
The attack vector for both vulnerabilities follows the pattern AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with low attack complexity and low privileges required.
Attackers can exploit these vulnerabilities by providing specially crafted malicious files to the Megatron LM system.
Upon successful exploitation, attackers could achieve multiple severe impacts, including code execution, escalation of privileges, information disclosure, and data tampering.
CVEs Affected Products Impact Exploit Prerequisites CVSS 3.1 Score CVE-2025-23264 CVE-2025-23265NVIDIA Megatron-LM (All platforms)Code execution, escalation of privileges, information disclosure, data tamperingLocal access, low attack complexity, low privileges required, no user interaction needed7.8 (High)
Mitigations
NVIDIA strongly recommends that all Megatron LM users immediately update to version 0.12.1 or later, available through the official GitHub repository.
Organizations should prioritize this update due to the high-severity nature of these vulnerabilities.
The security update addresses both CVE-2025-23264 and CVE-2025-23265 simultaneously. Users running earlier software branch releases should upgrade to the latest branch release to ensure comprehensive protection.
NVIDIA emphasizes that their risk assessment represents an average across diverse installations, and individual organizations should evaluate risks specific to their configurations.
Organizations should also review their access controls and file handling procedures while implementing these updates to minimize potential attack surfaces.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
#Cyber_Security #Cyber_Security_News #Vulnerability #cyber_security #cyber_security_news #vulnerability
Оригинальная версия на сайте:
