ShadowMQ: AI Framework Vulnerabilities Expose Inference Platforms

Key Takeaways

• RCE vulnerabilities impact major inference frameworks including Meta’s Llama (CVE-2024-50050), NVIDIA TensorRT-LLM (CVE-2025-23254), and vLLM (CVE-2025-32444). (Cyber Security News)
• Vulnerabilities arise from insecure use of ZeroMQ sockets with Python’s pickle deserialization — a pattern dubbed ShadowMQ. (Security Boulevard)
• Because of code reuse and copy-paste practices, the flaw spread across multiple projects (Modular Max Server, SGLang, and others), making broad deployment risk high. (eSecurity Planet)
• Attackers with access to exposed ZeroMQ sockets can achieve remote code execution, model theft, cluster takeover, and stealthy lateral movement.

Summary

When AI Frameworks Break: The ShadowMQ Vulnerabilities and the Future of AI Trust

ShadowMQ revealed that multiple high-profile AI inference frameworks are vulnerable to remote code execution (RCE). The issue stems from a design decision combining ZeroMQ for inter-component messaging with Python’s insecure pickle serialization — deserializing untrusted data without authentication. The result: any actor able to reach exposed sockets can execute arbitrary code on inference servers, including GPU workers and backend processes.

Because many of these frameworks serve as the backbone of enterprise AI infrastructure, the risk is systemic. The incident highlights a new class of AI-specific supply-chain vulnerabilities where code reuse and developer convenience introduce critical security flaws — flaws that traditional AppSec tools often miss.

What Happened: The Incident Overview

In November 2025, security researchers from Oligo Security documented a widespread vulnerability pattern — now known as ShadowMQ — affecting AI inference engines from Meta, NVIDIA, Microsoft, and open-source projects such as vLLM, SGLang, and Modular Max Server. 

The root cause lies in exposed ZeroMQ sockets using recv_pyobj() or similar methods to receive serialized data, which are automatically deserialized using Python’s pickle. Because pickle can execute arbitrary code during deserialization, attackers merely need access to the socket to run malicious payloads and gain remote code execution (RCE). 

Researchers confirmed live proof-of-concept exploits, demonstrating that a single exposed port could compromise entire inference clusters — including schedulers, GPU workers, agent orchestration, and model-serving pipelines. 

How the Breach Happened: Technical Breakdown

• Unsafe defaults: Many inference servers used unauthenticated ZeroMQ sockets bound to all interfaces.
• Insecure serialization: Python’s pickle was used for object serialization over network sockets — inherently unsafe for untrusted input.
• Code reuse magnified the flaw: Vulnerable logic was copied across multiple frameworks (Modular Max, SGLang, etc.), spreading the issue widely.
• No perimeter protection: Exposed, unprotected ZMQ sockets allowed remote attackers to connect and deliver malicious serialized payloads.
• Lack of AI-specific security controls: Traditional AppSec controls don’t inspect inter-service deserialization or protocol misuse inside AI infrastructure; as a result, these critical flaws went undetected.

Impact: Why This Matters

• Model & IP theft: Attackers can download and steal entire model weights and proprietary training data.
• Data leakage: Sensitive user inputs, model outputs, and embedded data become exposed.
• Infrastructure takeover: RCE permits installing malware, cryptominers, or persistence mechanisms across AI clusters.
• Lateral movement inside AI ecosystems: Once inside, attackers can pivot to connected services, pipelines, and agents.
• Widespread exposure across enterprises: Because many frameworks are open-source and widely used, this vulnerability affects a large portion of AI deployments globally.

ShadowMQ elevates foundational AI infrastructure failures to enterprise-wide security crises — a stark reminder that AI deployments demand the same rigor as traditional application environments, if not more.

PointGuard AI Perspective

ShadowMQ demonstrates the shift from traditional application vulnerabilities to deeply embedded AI-infrastructure risks. At PointGuard AI, we view this incident as a clear signal that enterprises must treat their AI stack with the same security discipline applied to their code and application layers.

Our platform helps organizations mitigate these risks by offering:

• Automated AI Asset Discovery — Identifies inference engines, ZeroMQ endpoints, MCP servers, and agent integrations across clusters.
• Posture Hardening & Configuration Controls — Detects unsafe default configurations (unauthenticated ZMQ sockets, unsafe serialization) and enforces secure deployments.
• Automated Red-Teaming & Vulnerability Scanning — Proactively tests for RCE vectors, unsafe deserialization, and misconfigured AI components before production deployment.
• Runtime Defense & Anomaly Detection — Monitors for unexpected network activity, suspicious deserialization events, and abnormal agent behavior; blocks malicious activity in real time.
• Governance & Compliance Support — Generates audit logs, tracks component versions, and maintains an AI-SBOM to support regulatory and internal compliance requirements.

ShadowMQ shows that the AI stack is only as secure as its weakest component — a reminder that deployment practices, code reuse, and serialization choices matter as much as model design. With PointGuard AI, enterprises can secure both their applications and the AI infrastructure layered on top.

Incident Scorecard Details

Total AISSI Score: 7.9 / 10

Criticality = 8, Remote code execution affected major AI inference frameworks (Meta, NVIDIA, Microsoft), enabling full compromise of model-serving infrastructure.

Propagation = 8, Vulnerable ZeroMQ + pickle patterns appeared across multiple widely deployed frameworks, allowing risk to spread through the AI ecosystem.

Exploitability = 8, Attackers could achieve RCE simply by sending crafted serialized payloads to exposed ZeroMQ sockets—low barrier to exploitation.

Supply Chain = 7, The flaw originated in shared open-source components embedded in many AI stacks, making coordinated detection and patching difficult.

Business Impact = 9, A successful compromise could lead to model theft, data leakage, cluster takeover, and operational outages across AI-dependent enterprises.

Sources

• SecurityBoulevard / PointGuard AI — Hidden Risks for AI Agents: ShadowMQ and MCP (pointguardai.com)
• The Hacker News — Researchers Find Serious AI Bugs Exposing Meta, Nvidia, and Microsoft Inference Frameworks (Cyber Security News)
• NVD / CVE-2025-32444 — vLLM ZeroMQ + Pickle Deserialization RCE Vulnerability (CVSS 9.8) (CVE CyberSecurity Database News)
• CybersecurityNews.com — Critical Vulnerabilities in AI Frameworks Impact Meta, NVIDIA, Microsoft (Cyber Security News)
• COE Security — ShadowMQ and Other Critical RCE Flaws (coesecurity.com)
• Cyberwarzone.com — ShadowMQ Flaw Exposes AI Inference Engines to Remote Code Execution (Cyberwarzone)