CVE-2026-25873 — AI Deep Analysis Summary

🚨 **Essence**: OmniGen2-RL has an **Unsafe Pickle Deserialization** flaw in its reward server. 💥 **Consequences**: Attackers can achieve **Remote Code Execution (RCE)**, leading to total system compromise.

🛡️ **Root Cause**: **CWE-502** (Deserialization of Untrusted Data). The code blindly unpickles user-controlled input without validation. 📉 **Flaw**: Trusting external data as executable Python objects.

👥 **Affected**: **Beijing Academy of Artificial Intelligence (BAAI)**'s **OmniGen2-RL** product. Specifically the `reward_server` components. 📦 **Version**: All versions prior to the fix (implied by the advisory).

💀 **Hacker Power**: Full **Remote Code Execution**. 📂 **Data**: Complete access to Confidentiality, Integrity, and Availability. The attacker owns the server.

⚡ **Threshold**: **LOW**. CVSS Vector: `AV:N/AC:L/PR:N/UI:N`. No authentication, no user interaction, and network-accessible. 🎯 **Easy to exploit** for anyone on the network.

🔍 **Public Exploit**: **Yes**. References point to specific code lines in `reward_proxy.py` and `reward_server.py` on GitHub. 📝 **PoC**: Available via VulnCheck advisory and source code analysis.

🔎 **Self-Check**: Scan for `pickle.loads()` or `pickle.load()` in `OmniGen2-RL/reward_server/` directories. 📋 **Look for**: Unsanitized input passed directly to deserialization functions.

🩹 **Fix**: Update to the patched version of OmniGen2-RL. 📖 **Reference**: Check the GitHub commit history or BAAI advisory for the specific fix commit. 🛠️ **Mitigation**: Disable the reward server if not needed.

🚧 **No Patch?**: **Isolate** the reward server. 🚫 **Block** network access to port/service. 🛑 **Disable** the `reward_server` component entirely if not essential for your workflow.

🔥 **Urgency**: **CRITICAL**. CVSS Score is **9.8** (High). 🚨 Immediate action required. RCE via network is a top-priority threat. Patch or isolate NOW.