CVE-2025-22892
📋 TL;DR
This vulnerability allows unauthenticated attackers on adjacent networks to cause denial of service by exhausting resources in OpenVINO model server software. It affects Intel OpenVINO model server versions before 2024.4. The attack requires network adjacency but no authentication.
💻 Affected Systems
- Intel OpenVINO Model Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption making the model server unavailable to legitimate users, potentially affecting dependent applications and services.
Likely Case
Degraded performance or temporary service unavailability requiring manual intervention to restore functionality.
If Mitigated
Limited impact with proper network segmentation and resource monitoring in place.
🎯 Exploit Status
The vulnerability is in resource consumption, making exploitation relatively straightforward once network access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2024.4 or later
Vendor Advisory: https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01272.html
Restart Required: Yes
Instructions:
1. Download OpenVINO model server version 2024.4 or later from Intel's official distribution channels. 2. Stop the current model server service. 3. Install the updated version following Intel's installation guide. 4. Restart the model server service.
🔧 Temporary Workarounds
Network Segmentation
allRestrict access to OpenVINO model server to only trusted networks and required clients
# Configure firewall rules to limit access
# Example: iptables -A INPUT -s TRUSTED_NETWORK -p tcp --dport MODEL_SERVER_PORT -j ACCEPT
# iptables -A INPUT -p tcp --dport MODEL_SERVER_PORT -j DROP
Resource Limits
linuxImplement resource quotas and limits to prevent complete exhaustion
# Set process limits in /etc/security/limits.conf
# model_server_user hard nproc 100
# model_server_user hard as 2000000
🧯 If You Can't Patch
- Implement strict network access controls to limit exposure to adjacent networks
- Deploy monitoring and alerting for resource consumption patterns to detect potential attacks
🔍 How to Verify
Check if Vulnerable:
Check the OpenVINO model server version. If it's earlier than 2024.4 and accessible from adjacent networks, it's vulnerable.Check Version:
ovms --version or check the model server startup logs/configurationVerify Fix Applied:
Confirm the installed version is 2024.4 or later and test that resource consumption attacks no longer cause service disruption.📡 Detection & Monitoring
Log Indicators:
- Unusual high resource consumption patterns
- Multiple connection attempts from single or adjacent IPs
- Service restart events following resource exhaustion
Network Indicators:
- High volume of requests to model server ports from unexpected sources
- Traffic patterns suggesting resource exhaustion attempts
SIEM Query:
source="openvino_model_server" AND (resource_usage>90% OR connection_count>threshold) | stats count by src_ip