CVE-2025-15453 is a deserialization vulnerability identified in milvus, an open-source vector database widely used for AI and machine learning applications. The vulnerability resides in the HTTP Endpoint component, specifically in the expr.Exec function located in pkg/util/expr/expr.go. The issue arises from improper handling of the 'code' argument, which is deserialized without adequate validation or sanitization. This unsafe deserialization can be exploited remotely by attackers to execute arbitrary code on the affected system. The vulnerability affects all milvus versions from 2.6.0 up to 2.6.7. The CVSS 4.0 base score is 5.3 (medium severity), reflecting that exploitation requires low attack complexity and no user interaction, but does require low privileges. The vulnerability does not require authentication, increasing its risk profile. Although no known exploits have been observed in the wild, the public disclosure of the vulnerability and the availability of technical details may facilitate development of exploits. A patch is planned for the upcoming milvus 2.6.8 release. Given milvus's role in managing and querying large-scale vector data, exploitation could lead to unauthorized code execution, data leakage, or service disruption.

For European organizations, the impact of CVE-2025-15453 can be significant, especially for those leveraging milvus in AI, machine learning, or data analytics infrastructures. Successful exploitation could lead to remote code execution, allowing attackers to compromise system confidentiality, integrity, and availability. This could result in unauthorized access to sensitive data, manipulation or deletion of vector databases, and disruption of critical AI services. Organizations in sectors such as finance, healthcare, research, and technology that rely on milvus for advanced data processing may face operational downtime and reputational damage. Additionally, the lack of authentication requirement increases the risk of automated attacks from external threat actors. The medium severity score suggests a moderate but non-negligible risk, warranting timely mitigation to prevent escalation.

European organizations should immediately inventory their milvus deployments to identify affected versions (2.6.0 through 2.6.7). Until the official patch in version 2.6.8 is released, organizations should implement network-level protections such as restricting access to milvus HTTP endpoints using firewalls or VPNs to trusted IP addresses only. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious deserialization payloads can provide additional defense. Monitoring logs for unusual activity targeting the expr.Exec function or anomalous HTTP requests is recommended. Organizations should also consider isolating milvus instances in segmented network zones to limit lateral movement if compromised. Once the patch is available, prompt application of the update is critical. Additionally, reviewing and hardening milvus configurations to minimize exposed attack surfaces and applying the principle of least privilege for service accounts will reduce risk.