Nvidia recently patched a couple of Riva vulnerabilities that could allow hackers to abuse AI services.
Riva is a set of GPU-accelerated multilingual speech and translation services designed for building customizable, real-time conversational AI for large language models (LLMs) and retrieval-augmented generation (RAG).
A security advisory published by Nvidia on March 10 reveals that Riva is impacted by two improper access control issues. One of the flaws, tracked as CVE-2025-23242 and assigned a ‘high severity’ rating, can allow privilege escalation, data tapering, denial of service (DoS), and information disclosure.
The second vulnerability, CVE-2025-23243, is a medium-severity issue allowing data tampering and DoS attacks.
The security holes impact versions 2.18 and prior of Nvidia Riva on Linux. A patch is included in version 2.19.0.
The vulnerabilities were discovered by Trend Micro researchers and reported to Nvidia in November 2024. Trend Micro’s Zero Day Initiative has published individual advisories for CVE-2025-23242 and CVE-2025-23243, noting that they can both be exploited without authentication.
Alfredo Oliveira, one of the Trend Micro security researchers credited for reporting these vulnerabilities, told SecurityWeek that while Riva instances should not be exposed to the internet, the research was actually triggered by the discovery of web-facing systems.
Oliveira explained that they have identified several vulnerable Riva instances exposed to the internet due to a misconfiguration that was caught by Trend Micro solutions.
“The default cloud installation creates a network rule exposing the service to 0.0.0.0/0 (whole internet),” the researcher explained.
An attacker who finds a vulnerable Riva instance could use the associated service without authorization.
“Riva is an AI Speech service — it does translations, speech-to-text and text-to-speech generation, among other things. Both the license and infrastructure to run these are very expensive, abusing this system would cause a considerable financial impact,” Oliveira said.
Related: Chipmaker Patch Tuesday: Intel, AMD, Nvidia Fix High-Severity Vulnerabilities
Related: Nvidia, Zoom, Zyxel Patch High-Severity Vulnerabilities
Related: Nvidia Patches High-Severity Flaws in Windows, Linux Graphics Drivers