Cyber Security News

Critical AI Security Flaws Let Attackers Bypass Detection & Execute Remote Code

Artificial Intelligence (AI) has become one of the fastest-booming technologies of this decade, with several advancements in multiple industries.

In several cases, threat actors have exploited AI systems to retrieve sensitive information later used in other attack vectors.

However, such a booming technology must be vigilant towards vulnerabilities that arise during the development or run time. 

A bug bounty program was created to protect Artificial intelligence that detected several vulnerabilities using custom-developed and open-source tools. 

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Critical AI Security Flaws

According to the reports shared with Cyber Security News, there were more than 9 vulnerabilities detected this month. The most crucial ones were a Validation Bypass, Arbitrary File Overwrite via Malicious Source URL, and Local file inclusion. 

The CVEs for these vulnerabilities were assigned as CVE-2024-0520 (10.0 – Critical), CVE-2023-6976 (8.8 – High), and CVE-2023-6977 (10.0 – Critical).

CVE-2024-0520: MLflow Arbitrary File Overwrite

This vulnerability exists in the MLflow, a tool for storing and tracking models in which an attacker can perform an arbitrary file overwrite due to the code used to pull down remote data storage. Users can be manipulated into using a malicious remote data source that will alternatively execute commands in the user’s context.

CVE-2023-6976 – MLflow Arbitrary File Overwrite

One of the MLflow functions that validate file path safety had a bypass vulnerability that would allow a threat actor to remotely overwrite files on the MLflow server, resulting in remote code execution. A threat actor can also overwrite the SSH keys on the system or edit the .bashrc file to execute arbitrary commands on the system when the next user logs in.

CVE-2023-6977 –  MLflow Local File Include

In certain types of operating systems, the hosted MLflow can be manipulated into displaying sensitive file contents due to a file path safety bypass, which can also potentially lead to system takeover if the SSH keys or cloud keys were stored on the server with MLflow read permissions.

A complete report has been published, which provides detailed information about these vulnerabilities, potential exploitation, impact, and other information. 

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

US Department Of Homeland Security Terminates Entire Advisory Committees

In a sweeping directive aimed at streamlining the Department of Homeland Security (DHS) operations, Acting…

4 hours ago

Hackers Exploited 16 0-days & Earned $382,750 – Pwn2Own Automotive 2025

The much-anticipated Pwn2Own Automotive 2025 kicked off today at Tokyo Big Sight, showcasing the cutting…

10 hours ago

Windows File Explorer Elevation Of Privilege Vulnerability(CVE-2024-38100) Exploited

A critical security flaw in Windows File Explorer, identified as CVE-2024-38100, has been actively exploited,…

10 hours ago

1,000+ Malicious Domains Mimic Reddit & WeTransfer To Deliver Malware

Over 1,000 malicious domains have been identified that impersonate popular platforms like Reddit and WeTransfer…

11 hours ago

Helldown Ransomware Exploiting Zyxel Devices Using Zero-Day Vulnerability

A new ransomware threat dubbed "Helldown" has emerged, actively exploiting vulnerabilities in Zyxel firewall devices…

11 hours ago

Ex-CIA Analyst Pleads Guilty To Leaking National Defense Information

A former CIA analyst, Asif William Rahman, 34, pleaded guilty today to unlawfully retaining and…

14 hours ago