Recent analysis of the security landscape of machine learning (ML) frameworks has revealed ML software is subject to more security vulnerabilities than more mature categories like DevOps or Web servers.
The growing adoption of machine learning across industries highlights the critical need to secure ML systems, as vulnerabilities can lead to unauthorized access, data breaches, and compromised operations.
The report from JFrog claims ML projects such as MLflow have seen an increase in critical vulnerabilities. Over the last few months, JFrog has uncovered 22 vulnerabilities across 15 open source ML projects. Among these vulnerabilities, two categories stand out: threats targeting server-side components and risks of privilege escalation within ML frameworks.
Critical vulnerabilities in ML frameworksThe vulnerabilities identified by JFrog affect key components often used in ML workflows, which could allow attackers to exploit tools which are often trusted by ML practitioners for their flexibility, to gain unauthorized access to sensitive files or to elevate privileges within ML environments.
One of the highlighted vulnerabilities involves Weave, a popular toolkit from Weights & Biases (W&B), which aids in tracking and visualizing ML model metrics. The WANDB Weave Directory Traversal vulnerability (CVE-2024-7340) enables low-privileged users to access arbitrary files across the filesystem.
This flaw arises due to improper input validation when handling file paths, potentially allowing attackers to view sensitive files that could include admin API keys or other privileged information. Such a breach could lead to privilege escalation, giving attackers unauthorized access to resources and compromising the security of the entire ML pipeline.
ZenML, an MLOps pipeline management tool, is also affected by a critical vulnerability that compromises its access control systems. This flaw allows attackers with minimal access privileges to elevate their permissions within ZenML Cloud, a managed deployment of ZenML, thereby accessing restricted information, including confidential secrets or model files.
The access control issue in ZenML exposes the system to significant risks, as escalated privileges could enable an attacker to manipulate ML pipelines, tamper with model data, or access sensitive operational data, potentially impacting production environments reliant on these pipelines.
Another serious vulnerability, known as the Deep Lake Command Injection (CVE-2024-6507), was found in the Deep Lake database - a data storage solution optimized for AI applications. This vulnerability permits attackers to execute arbitrary commands by exploiting how Deep Lake handles external dataset imports.
Due to improper command sanitization, an attacker could potentially achieve remote code execution, compromising the security of both the database and any connected applications.
A notable vulnerability was also found in Vanna AI, a tool designed for natural language SQL query generation and visualization. The Vanna.AI Prompt Injection (CVE-2024-5565) allows attackers to inject malicious code into SQL prompts, which the tool subsequently processes. This vulnerability, which could lead to remote code execution, allows malicious actors to target Vanna AI’s SQL-to-graph visualization feature to manipulate visualizations, execute SQL injections, or exfiltrate data.
Mage.AI, an MLOps tool for managing data pipelines, has been found to have multiple vulnerabilities, including unauthorized shell access, arbitrary file leaks, and weak path traversal checks.
These issues allow attackers to gain control over data pipelines, expose sensitive configurations, or even execute malicious commands. The combination of these vulnerabilities presents a high risk of privilege escalation and data integrity breaches, compromising the security and stability of ML pipelines.
By gaining admin access to ML databases or registries, attackers can embed malicious code in models, leading to backdoors that activate upon model load. This can compromise downstream processes as the models are utilized by various teams and CI/CD pipelines. The attackers can also exfiltrate sensitive data or conduct model poisoning attacks to degrade model performance or manipulate outputs.
JFrog’s findings highlight an operational gap in MLOps security. Many organizations lack robust integration of AI/ML security practices with broader cybersecurity strategies, leaving potential blind spots. As ML and AI continue to drive significant industry advancements, safeguarding the frameworks, datasets, and models that fuel these innovations becomes paramount.
You might also likeAI is reshaping the business landscape, and companies committed to AI investment are likely to reap sustained rewards, new research has claimed.
A report from Unisys reveals as businesses establish structured AI strategies, backed by leadership and a long-term vision, they strengthen their position in an increasingly competitive environment.
AI is expected to be a permanent component of several companies’ strategic roadmap as 93% of executives favor the use of AI to stay ahead of the competition.
Time savings with Chief AI Officers?Elsewhere, the report claimed 89% of brand executives anticipate their organization’s AI use will rise over the next year, with this growing enthusiasm suggesting businesses recognize AI’s potential to drive efficiency, innovation, and competitive differentiation.
The presence of dedicated AI leadership has proven to accelerate benefits, as 86% of companies with a Chief AI Officer reported substantial time savings.
Moreover, the competitive advantages are evident for companies that approach AI investment strategically. 30% of organizations that have invested in AI as a core component of their business strategy report a noticeable competitive edge.
Executives also recognize AI as a long-term asset, not just a trend. With nearly three-quarters of surveyed executives viewing AI as a reliable source of information, many are committed to sustaining AI’s role in business beyond immediate projects.
The study also indicates 60% of organizations expect to diversify their AI investments across various projects in the coming years, ensuring that AI becomes embedded in different facets of their operations, rather than being limited to isolated use cases.
“As Executives are seeking insights for ROI on AI investments, they should consider AI is designed to help problem-solve — from mundane tasks to complex challenges," said Brett Barton Vice President and Global AI Practice Leader at Unisys.
“This allows organizations to maximize the impact, especially when there is a targeted business challenge. With the right strategy, use case and focus, organizations that deploy AI will thrive."
You might also likeThis year's launch of iOS 18 has brought a host of new features and functions to millions of iPhones, and a new leak suggests the same handsets that can run iOS 18 are going to be eligible for an upgrade to iOS 19 as well.
According to the usually reliable iPhoneSoft (via 9to5Mac), handsets as far back as the iPhone XS and iPhone XR, launched in 2018, are going to be able to get next year's software update. iOS 18, meanwhile, dropped support for the iPhone X and the iPhone 8, which both launched in 2017.
There is a caveat though: not all the new iOS 19 features will be available on all iPhones. This is something we're already used to of course, because recent handsets have the necessary processing power to handle Apple Intelligence, while others don't.
So far we've not heard too much about the upgrades iOS 19 is going to bring along with it, though apparently Apple is planning a ChatGPT-style update for Siri. At the moment of course, you can use ChatGPT inside Siri for more advanced AI conversations.
iPads and launch schedule The 10.2-inch iPad 7 from 2019 could be missing out (Image credit: Future)However, the same report says one iPad model will be left behind when iPadOS 19 rolls out. Apparently the 7th-gen entry-level iPad, which launched in 2019 and runs on an Apple A10 chip, won't be compatible.
The new minimum requirement for iPadOS 19 is said to be an A12 chip, which means every other iPad should get the software update. We can expect a similar set of new features to iOS 19, with a few tweaks and extras to account for the tablet form factor.
If Apple sticks to its usual schedule, then the first we'll officially hear about iOS 19 and iPadOS 19 will be at the WWDC (Worldwide Developers Conference) 2025, most likely happening sometime in June. After that, we should get a beta testing period, before a full public release in September 2025.
The new software updates will of course run on the iPhone 17 series, plus whatever new iPads Apple decides to bring out this year. We could well get the 11-generation iPad before 2025 is out, as well as a new 8th-generation iPad Pro.
You might also likeData centers are some of the largest energy consumers in Europe, and are facing unique challenges in achieving net zero goals.
A recent survey by Aggreko found volatile energy costs and grid instability are prompting data center operators to rethink their timelines for carbon reduction.
Of the executives surveyed, over 90% have adjusted their net zero targets, with half of those extending their timelines due to these persistent energy-related challenges.
Decentralized energy solutions are gaining tractionFor many data centers, achieving sustainability goals requires balancing environmental targets with economic feasibility, especially as energy prices continue to rise.
In response to these energy challenges, data centers are increasingly adopting decentralized energy solutions to mitigate grid dependence and improve resilience. The report claims 87% of European executives are already implementing some form of decentralised energy, with 54% planning to expand these systems.
The move toward decentralization allows data centers to maintain operational stability while reducing reliance on traditional grid energy, which is often unpredictable and expensive. However, even with decentralized systems in place, data center leaders are cautious about fully committing to ambitious decarbonization timelines given current economic constraints.
The situation is dicey for company executives, as despite the urgency of environmental goals, cost and commercial viability remain the top priorities for data center executives. Only 12% of CEOs ranked speed of decarbonization as their primary objective, while the majority prioritize reducing energy costs and achieving a commercial advantage.
As data centers operate on tight profit margins, any investment in sustainable practices must demonstrate a clear return on investment. For many in the sector, this balancing act between sustainability and financial stability is proving complex, with limited capital available for large-scale green initiatives.
A key risk identified in the report is the role of supply chains in delaying the energy transition. Almost half of the executives surveyed see supply chain issues as a significant barrier, with 21% ranking it as their top concern.
As supply chain disruptions persist, securing the technology and resources needed for sustainable upgrades has become a formidable challenge. This uncertainty adds another layer of difficulty to achieving net zero, particularly as data centers attempt to source low-carbon energy options.
To navigate these challenges, Aggreko recommends strategic partnerships between companies and energy providers. By collaborating with energy experts, data centers can better assess options like energy-as-a-service models and power purchase agreements that offer flexible, lower-risk alternatives to traditional energy procurement. These partnerships enable data centers to explore innovative energy strategies without overcommitting financially, a crucial approach for achieving both short- and long-term sustainability goals.
Though current conditions make it difficult to achieve rapid decarbonization, the report suggests that data centers remain committed to sustainability. With 80% of CEOs planning to increase investment in energy solutions, even if only incrementally, there is optimism for continued progress. By adopting a balanced approach that aligns with economic realities, data centers can move towards a sustainable future while managing the operational demands of today’s market.
You might also likeWell, it's here: the year 2025, and a new year calls for more movies and shows arriving across the best streaming services, starting with Netflix. This past year has been an eventful one for Netflix with the releases of Rebel Ridge, miniseries Griselda, and of course One Day joining the library of the best Netflix shows and best Netflix movies – and it's only going to get better.
January 1 is packed with a blend of movies including fun family favorites and romance stories, but it's compelling dramas like Lion (2016), Interstellar (2014), and Dallas Buyers Club (2013) that top the list of new Netflix titles. In addition to the usual list of new arrivals, Netflix is also ushering in new original shows, starting with Selling the City on January 3 and as a major fan of Selling Sunset, I'll be sat.
Everything new on Netflix in January 2025Arriving on January 1
13 Going on 30 (movie)
3 Ninjas: Kick Back (movie)
Apollo 13 (movie)
Blended (movie)
Bruce Almighty (movie)
Colombiana (movie)
Dallas Buyers Club (movie)
Dr. Seuss' The Cat in the Hat (movie)
Dr. Seuss' The Lorax (movie)
Erin Brockovich (movie)
Hotel Transylvania (movie)
Hotel Transylvania 2 (movie)
I Know What You Did Last Summer (movie)
Inception (movie)
Interstellar (movie)
Little Fockers (movie)
Love Actually (movie)
The Love Scam (Netflix original movie)
Meet the Fockers (movie)
Meet the Parents (movie)
Melancholia (movie)
Missing You (Netflix original series)
The Net (movie)
Notting Hill (movie)
Number 24 (Netflix original movie)
Out of Africa (movie)
Rush Hour (movie)
Rush Hour 2 (movie)
Rush Hour 3 (movie)
Schindler's List (movie)
Scooby-Doo (movie)
Scooby-Doo 2: Monsters Unleashed (movie)
Spider-Man (movie)
Spider-Man 2 (movie)
Spider-Man 3 (movie)
Arriving on January 2
Cunk on Life (TV show)
Stranded with my Mother-in-Law season 2 (Netflix original series)
Arriving on January 3
Bandidos season 2 (Netflix original series)
Love Is Blind: Germany (Netflix original series)
Shafted (Netflix original series)
Selling The City (Netflix original series)
Umjolo: My Beginning, My End! (Netflix original movie)
Wallace & Gromit: Vengeance Most Fowl (Netflix original movie)
Arriving on January 4
When the Stars Gossip (Netflix original series)
Arriving on January 6
My Happy Marriage season 2 (Netflix original series)
WWE Raw: 2025 (Netflix live event)
Arriving on January 7
The Breakthrough (Netflix original series)
Gabriel Iglesias: Legend of Fluffy (Netflix comedy special)
The Graham Norton Show: Best Bits: Week of December 31, 2024 (TV show)
Jerry Springer: Fights, Camera, Action (Netflix original documentary)
Younger seasons 1-7 (TV show)
Arriving on January 8
Dubai Bling season 3 (Netflix original series)
Hound's Hill (Netflix original series)
I AM A KILLER season 6 (Netflix original documentary)
Subteran (Netflix original series)
Arriving on January 9
American Primeval (Netflix original series)
Asura (Netflix original series)
I am Ilary (Netflix original series)
Lion (movie)
The Upshaws part 6 (Netflix original series)
Arriving on January 10
Ad Vitam (Netflix original movie)
Alpha Males season 3 (Netflix original series)
Love Is Blind: Germany (Netflix original series)
Arriving on January 11
SAKAMOTO DAYS (Netflix original series)
Arriving on January 13
The Walking Dead: The Ones Who Live season 1 (TV show)
Arriving on January 14
Ari Shaffir: America’s Sweetheart (Netflix comedy special)
Single’s Inferno season 4 (Netflix original series)
Arriving on January 15
Hereditary (movie)
Krapopolis season 1 (TV show)
Public Disorder (Netflix original series)
Arriving on January 16
XO, Kitty season 2 (Netflix original series)
Arriving on January 17
Back in Action (Netflix original movie)
Love Is Blind: Germany (Netflix original series)
Young, Famous & African season 3 (Netflix original series)
Arriving on January 18
SAKAMOTO DAYS (Netflix original series)
Arriving on January 21
The Graham Norton Show: Best Bits: Week of January 10, 2025 (TV show)
Arriving on January 22
W.A.G.s to Riches (Netflix original series)
Arriving on January 23
NCIS seasons 1-5 (TV show)
The Night Agent season 2 (Netflix original series)
Arriving on January 24
The Sand Castle (Netflix original movie)
Arriving on January 25
SAKAMOTO DAYS (Netflix original series)
Arriving on January 26
You Hurt My Feelings (movie)
Arriving on January 28
The Graham Norton Show: Best Bits: Week of January 17, 2025 (TV show)
Liza Treyger: Night Owl (Netflix comedy special)
Arriving on January 29
Six Nations: Full Contact season 2 (Netflix original series)
Arriving on January 30
Mo season 2 (Netflix original series)
The Recruit season 2 (Netflix original series)
The Seven Deadly Sins: Four Knights of the Apocalypse season 2 (Netflix original series)
Arriving on January 31
Lucca's World (Netflix original movie)
The Snow Girl season 2 (Netflix original series)