Nvidia Patches Critical Vulnerabilities in AI Speech Service Riva

Nvidia has rolled out crucial security updates to address vulnerabilities in its Riva AI platform. If left unpatched, hackers could exploit its services for unauthorized access and potential financial damage.

Riva, Nvidia’s GPU-accelerated speech and translation service, is widely used for real-time conversational AI applications, including large language models (LLMs) and retrieval-augmented generation (RAG). However, security researchers at Trend Micro recently identified two significant flaws in the platform that could be leveraged for cyberattacks.

According to a security advisory published by Nvidia on March 10, the vulnerabilities stem from improper access control mechanisms. The more severe of the two, CVE-2025-23242, has been rated ‘high severity’ and could enable privilege escalation, data tampering, denial-of-service (DoS) attacks, and information disclosure. The second flaw, CVE-2025-23243, is considered of medium severity and primarily facilitates data tampering and DoS attacks.

Both vulnerabilities impact Riva versions 2.18 and earlier running on Linux. Nvidia has addressed these security gaps in Riva version 2.19.0 and urges users to update their systems immediately to mitigate risks.

Trend Micro researchers initially reported the flaws to Nvidia in November 2024 through the Zero Day Initiative. These vulnerabilities can be exploited without requiring authentication, making unpatched systems susceptible to attacks.

Security researcher Alfredo Oliveira, one of the Trend Micro experts credited with uncovering the vulnerabilities, emphasized the risks associated with misconfigured Riva instances. He noted that while these systems are not meant to be exposed to the internet, some were found to be publicly accessible due to configuration errors.

“The default cloud installation creates a network rule exposing the service to 0.0.0.0/0 (whole internet),” Oliveira explained.

Such exposure allows attackers to access Riva services without authorization, potentially leading to misuse of its AI capabilities. Given the high costs associated with AI infrastructure and licensing, Oliveira highlighted that “abusing this system would cause a considerable financial impact.”

Nvidia’s swift response in patching the vulnerabilities underscores the importance of proactive cybersecurity measures in AI-driven technologies. Organizations using Riva are strongly advised to verify their configurations and apply the latest security updates to safeguard against potential exploitation.