Infrastructure Flaws: The Silent Threat to AI Security

2025.10.26.
AI Security Blog
Infrastructure Flaws: The Silent Threat to AI Security

Infrastructure Under Siege: Foundational Security Flaws Pose a Direct Threat to AI/ML Systems

The security of AI and LLM systems does not exist in a vacuum; it is critically dependent on the integrity of the underlying infrastructure. A stark reminder of this reality emerged with the recent disclosure from F5, a cornerstone of enterprise networking and application delivery. The announcement of over 40 vulnerabilities, coupled with the confirmation that a nation-state actor exfiltrated proprietary technology and security research data, represents a foundational supply-chain risk with severe implications for AI security.

This incident, which Tenable’s CSO Robert Huber described as a “five-alarm fire for national security,” prompted an immediate response from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). CISA issued Emergency Directive ED 26-01, mandating that federal agencies inventory and patch all vulnerable F5 BIG-IP products by October 22. The directive specifically targets F5OS, BIG-IP TMOS, BIG-IQ, and BNK / CNF platforms, highlighting the widespread impact.

Kapcsolati űrlap - EN

Do you have a question about AI Security? Reach out to us here:

From an AI red teaming perspective, the compromise of a critical network appliance like F5 BIG-IP is a catastrophic event. These devices often sit at the chokepoint for data flowing into and out of data centers where AI/ML models are trained and run. An adversary in control of this layer could:

  • Intercept and poison training data in transit, subtly corrupting models without ever touching the MLOps pipeline directly.
  • Exfiltrate sensitive models or proprietary datasets, representing a monumental loss of intellectual property.
  • Disrupt AI-powered services by manipulating traffic or launching denial-of-service attacks against inference endpoints.

The comparison of this breach to the SolarWinds incident is not hyperbole. It underscores a critical lesson for AI security practitioners: securing the model and the application layer is insufficient if the network foundation they are built upon is compromised.

Observed in the Wild: LLM Abuse Focuses on Operational Efficiency, Not Novel Attacks

While infrastructure threats loom large, direct abuse of LLMs remains a primary concern. OpenAI’s October 2025 report, “Disrupting malicious uses of AI: an update,” provides valuable ground-truth on how threat actors are currently leveraging their models. The findings indicate a focus on augmenting existing TTPs rather than creating revolutionary new attack vectors.

OpenAI detected and disrupted seven distinct malicious campaigns, observing threat actors using ChatGPT for activities such as:

  • Refining and generating malware code.
  • Establishing malicious command-and-control (C2) infrastructure.
  • Generating phishing content across multiple languages at scale.
  • Executing various cyber scams with greater speed and believability.

The key takeaway from OpenAI’s analysis is that “threat actors bolt AI onto old playbooks to move faster, not gain novel offensive capability from our models.” For AI red teamers, this is a crucial insight. It suggests that current defensive postures should be hardened against classic attacks that are now supercharged with AI. Simulations should focus on high-volume, highly-convincing, multi-lingual phishing and social engineering campaigns, and the rapid generation of polymorphic malware variants, as these represent the most immediate and realistic threats posed by LLM abuse.

The Data Poisoning Paradox: Why Bigger Models Aren’t Safer

A groundbreaking study from Anthropic, conducted with the U.K. AI Security Institute and the Alan Turing Institute, has overturned a long-held assumption in LLM security: that larger models are inherently more resilient to data poisoning attacks. The research, detailed in “Poisoning Attacks on LLMs Require a Near-Constant Number of Poison Samples,” reveals a deeply counter-intuitive and alarming vulnerability.

The study demonstrates that creating a backdoor in an LLM does not require poisoning a large percentage of the training data. Instead, a small, nearly constant number of malicious samples is sufficient to compromise models of vastly different sizes.

Key Findings from the Research:

  • The researchers tested models ranging from 600 million to 13 billion parameters.
  • They found that while 100 poisoned documents were insufficient, 250 or more poisoned samples were enough to reliably install a backdoor across all model sizes.
  • The attack involved inserting an innocuous trigger phrase, <SUDO>, into a small set of training documents to cause the model to output gibberish text upon receiving the trigger.

The implication is profound: as models scale and their training datasets grow into the trillions of tokens, the attack surface for injecting malicious content expands proportionally, while the adversary’s required effort remains fixed and trivial. An attacker only needs to successfully insert around 250 malicious documents into a multi-million document dataset to create a persistent vulnerability. This makes data poisoning attacks far more practical and accessible than previously believed.

While the study focused on a simple backdoor, it raises urgent questions about more complex behaviors, like safety-guardrail bypasses or malicious code generation. The findings place immense pressure on MLOps and data engineering teams to implement robust defenses, such as stringent data filtering, provenance verification, and post-training backdoor detection, as part of the core model development lifecycle.

From the Lab to the Boardroom: AI and Cyber Risk Demand Executive Oversight

The escalating technical threats are now being mirrored by a significant shift in corporate governance. AI and cybersecurity are no longer siloed technical issues but have become central to boardroom discussions on risk and strategy. An analysis by EY of Fortune 100 proxy statements and 10-K filings reveals a dramatic increase in executive-level oversight.

Key Governance Trends:

  • 94% of Fortune 100 boards now formally discuss AI oversight, a notable increase from 79% in the previous year.
  • 35% of these companies have established a dedicated board committee for AI, more than doubling from 14%.
  • On the broader cyber front, 100% of analyzed boards now possess cybersecurity expertise, and 84% have a dedicated CISO.

This heightened focus is a direct response to a deteriorating threat landscape. The U.K. National Cyber Security Centre’s (NCSC) 2025 annual review provides stark figures, reporting that “nationally significant” cyber incidents have more than doubled to 204 from 89 in the previous 12-month period. The severity is also increasing, with a nearly 50% rise in “highly significant” incidents. The NCSC explicitly identifies nation-state actors from China, Russia, Iran, and North Korea as primary threats.

For security leaders, this confluence of trends is a clear mandate. The work of AI red teams, vulnerability researchers, and security architects is no longer just about finding bugs. It is about generating the data and insights necessary to inform strategic decision-making at the highest levels of the organization. Communicating the risk of a data poisoning attack or the implications of an infrastructure breach in clear, business-relevant terms is now an essential skill for ensuring enterprise resilience in the age of AI.

Securing AI: The New Role of NISTs IoT Framework

2025.10.18.

Beyond the Model: Securing AI Containers

2025.10.26.

Contact

Attila Rácz-Akácosi, AI Security Strategy Consultant, Aiq.hu ©

Send an email with the details, and I will help you outline concrete steps toward safer AI operation.
Ai Red Teaming Hungary, Global Ai Safety / LLM Security Audit

Ai Red Teaming Dictionary

AI Security Audit - Checklist