A critical vulnerability, CVE-2025-27520, in BentoML put systems at high risk for remote code execution without authentication. The bug re-emerged due to a lapse in patch management and could allow unauthorized control over AI services. Exploitation would potentially compromise company data, enabling data theft or server takeover. While BentoML released a fix in version 1.4.3, the immediate upgrade is crucial to mitigate threats.
Source: https://hackread.com/bentoml-vulnerability-remote-code-execution-ai-servers/
TPRM report: https://scoringcyber.rankiteo.com/company/bentoml
"id": "ben833041125",
"linkid": "bentoml",
"type": "Vulnerability",
"date": "4/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Technology',
'name': 'BentoML',
'type': 'Software Provider'}],
'attack_vector': 'Remote Code Execution',
'description': 'A critical vulnerability, CVE-2025-27520, in BentoML put '
'systems at high risk for remote code execution without '
'authentication. The bug re-emerged due to a lapse in patch '
'management and could allow unauthorized control over AI '
'services. Exploitation would potentially compromise company '
'data, enabling data theft or server takeover. While BentoML '
'released a fix in version 1.4.3, the immediate upgrade is '
'crucial to mitigate threats.',
'impact': {'data_compromised': ['Company Data'],
'systems_affected': ['AI Services', 'Servers']},
'post_incident_analysis': {'corrective_actions': ['Upgrade to BentoML version '
'1.4.3'],
'root_causes': ['Lapse in patch management']},
'recommendations': ['Immediate upgrade to BentoML version 1.4.3',
'Enhanced patch management'],
'response': {'remediation_measures': ['Upgrade to BentoML version 1.4.3']},
'title': 'BentoML Critical Vulnerability CVE-2025-27520',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2025-27520'}