CVE-2026-25873 is a critical security vulnerability affecting the OmniGen2-RL product developed by the Beijing Academy of Artificial Intelligence (BAAI). The vulnerability stems from insecure deserialization of untrusted data (CWE-502) in the reward server component. Specifically, the server accepts HTTP POST requests containing serialized Python objects using the pickle module, which is inherently unsafe when handling untrusted input. Because the deserialization process is unauthenticated and exposed over the network, remote attackers can craft malicious pickle payloads that, when deserialized by the server, execute arbitrary code on the host system. This leads to remote code execution (RCE) without requiring any user interaction or prior authentication. The vulnerability affects version 0 of OmniGen2-RL and was published on March 18, 2026. The CVSS 4.0 base score of 9.3 reflects the vulnerability's critical nature, with attack vector being network (AV:N), no attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H, I:H, A:H). The vulnerability does not have any known public exploits yet, but the underlying issue—pickle deserialization of untrusted data—is a well-known and highly exploitable weakness. The lack of authentication and exposure of the reward server component increases the attack surface significantly. No patches or mitigations have been officially published at the time of this report, increasing the urgency for organizations to implement interim protective measures.

The impact of CVE-2026-25873 is severe for organizations using OmniGen2-RL, particularly those deploying the reward server component in accessible network environments. Successful exploitation allows attackers to execute arbitrary commands remotely, potentially leading to full system compromise. This could result in unauthorized data access, data manipulation, service disruption, or the deployment of persistent malware. Given the criticality of AI infrastructure, attackers could leverage this vulnerability to disrupt AI model training, steal proprietary algorithms or datasets, or pivot to other parts of the network. The unauthenticated nature of the flaw means that any external attacker with network access to the vulnerable service can exploit it, increasing the likelihood of attacks. The absence of known exploits currently may delay immediate widespread attacks, but the vulnerability's characteristics make it a prime target for future exploitation. Organizations may face operational downtime, reputational damage, and potential regulatory consequences if sensitive data is compromised.

To mitigate CVE-2026-25873, organizations should immediately restrict network access to the OmniGen2-RL reward server component, ideally isolating it within trusted internal networks or behind firewalls and VPNs. Disable or replace the use of Python's pickle deserialization for processing incoming HTTP POST requests; instead, adopt safe serialization formats such as JSON or protobuf with strict schema validation. If code changes are not immediately feasible, implement application-layer filtering to detect and block suspicious serialized payloads. Employ network intrusion detection systems (NIDS) with signatures targeting malicious pickle payloads. Monitor logs for unusual POST requests or unexpected command execution patterns. Conduct thorough code reviews and security testing of AI infrastructure components to identify and remediate insecure deserialization practices. Stay alert for official patches or updates from BAAI and apply them promptly once available. Additionally, implement robust endpoint detection and response (EDR) solutions to detect and contain potential exploitation attempts.