One bolt. Your entire AI infrastructure becomes a smoking crater. SPECTER THUNDERBOLT is the world-first commercial ML training cluster exploitation engine. Targets Ray distributed compute (CVE-2023-48022 CVSS 9.8), Slurm HPC schedulers (CVE-2023-41915 CVSS 8.8), and MLflow experiment tracking (CVE-2024-1483 CVSS 9.8). Cluster worm propagation across Ray, Slurm, and Kubernetes. Hardware sabotage via nvidia-smi power pin, IPMI fan override, and SSD wear acceleration. DESTROY gate — beyond UNLEASHED — requires ROE document, Ed25519 signature, and --confirm-physical-harm. 288 tests.
SPECTER THUNDERBOLT exploits the vulnerabilities that AI infrastructure teams ignore: the Ray dashboard exposed to the network, the Slurm controller socket, the MLflow tracking server with no auth. ML training clusters are the most valuable and most exposed systems in any AI organisation. Compromise the cluster, own every model trained on it.
| ID | Component | Vulnerability | CVSS | Gate |
|---|---|---|---|---|
| CVE-2023-48022 | Ray distributed compute | Unauthenticated remote code execution via Ray dashboard API. No authentication required on default Ray deployments. Enables arbitrary job submission, environment variable harvest, and lateral movement to all cluster nodes via num_cpus=0 worm job. | 9.8 | DESTROY |
| CVE-2024-1483 | MLflow tracking server | Path traversal in MLflow artifact store — attacker-controlled artifact URI traverses out of the artifact root, enabling arbitrary file read and write on the MLflow server. Enables model registry poisoning and experiment data theft. | 9.8 | INJECT |
| CVE-2023-41915 | Slurm HPC scheduler | Slurm prolog/epilog filesystem race condition — symlink attack on job file allows privilege escalation from regular user to root on all cluster nodes. Combined with srun all-node exec, achieves cluster-wide root compromise. | 8.8 | DESTROY |
Real HTTP/TCP fingerprinting: Ray dashboard detection (port 8265/8080), Slurm REST API probe (port 6820), MLflow tracking server enumeration (port 5000), Kubernetes API server discovery, NCCL port sweep (29500-29510), platform confidence scoring 0.0–1.0, CVE applicability matrix. OPEN gate.
Initial access exploitation: CVE-2023-48022 Ray dashboard unauthenticated RCE, CVE-2024-1483 MLflow path traversal, Slurm prolog race (CVE-2023-41915), Kubernetes misconfigured RBAC, exposed etcd (port 2379), GPU node SSH bruteforce with harvested cloud-init credentials. INJECT gate.
Cluster worm propagation engine: Ray num_cpus=0 job floods all nodes (CVE-2023-48022), Slurm srun --nodelist=ALL executes payload across the entire partition, Kubernetes privileged DaemonSet deploys to every node in the cluster. Three worm vectors. One command. Zero survivors. DESTROY gate.
Credential and data exfiltration: cloud provider IAM keys from GPU node instance metadata (169.254.169.254, GCP, Azure), training data manifest theft, model checkpoint extraction via MLflow artifact API, Weights & Biases API key harvest from environment, Hugging Face token sweep, GPU cluster SSH key harvest. INJECT gate.
Training data and model poisoning: realtime gradient injection during active training runs via shared filesystem write, MLflow model registry poison (malicious checkpoint registered as production model), dataset manifest tampering (SHA-256 hash replacement), training loss curve manipulation via metric API forgery. DESTROY gate.
Three persistence mechanisms: Ray detached job polls C2 every 24 hours and resubmits on failure, Slurm self-resubmitting job survives cluster restarts via sbatch --dependency=afternotok, Kubernetes CronJob (every 6 hours) deployed to kube-system namespace with cluster-admin RBAC. Survives reboots. DESTROY gate.
Hardware destruction payloads: nvidia-smi -pm 1 + nvidia-smi -pl [max TDP] pins GPU power limit to maximum thermal design power accelerating hardware failure, IPMI fan override to 0% RPM causes thermal runaway on bare-metal nodes, SSD wear acceleration via sequential write loop exhausts NAND flash endurance. --confirm-physical-harm required. DESTROY gate.
Ed25519-signed TBT-{hex12} reports. MITRE ATLAS AML.T0018/T0043/T0048/T0054. OWASP LLM03/LLM06. CVSS 3.1 scoring. WMD class mapping. Financial blast radius (training compute cost USD, model IP value, hardware replacement cost). JSON + Markdown output.
SPECTER THUNDERBOLT introduces the DESTROY gate — a third tier beyond UNLEASHED. DESTROY-gated operations can cause irreversible physical hardware damage and cluster-wide data loss. Three requirements must all be satisfied simultaneously: a signed Rules of Engagement document, an Ed25519 operator key signature, and the --confirm-physical-harm flag. No DESTROY operation executes without all three.
A signed Rules of Engagement document explicitly authorising physical hardware sabotage, cluster-wide worm propagation, and irreversible data destruction. Must name the target cluster, authorised operator, engagement window, and maximum blast radius. Verified on every DESTROY operation.
Operator private key required. Every DESTROY-tier command is signed with the operator's Ed25519 key and the signature is embedded in the TBT-{hex12} report. Provides cryptographic proof of authorisation. Key is never transmitted — signing occurs locally before command execution.
Explicit flag required on every SABOTAGE operation. Acknowledges that GPU power pinning, IPMI fan override, and SSD wear acceleration may cause permanent hardware damage. Cannot be aliased or scripted away. Must be typed by the operator at execution time.
SPECTER THUNDERBOLT's SABOTAGE subsystem targets the physical hardware layer of ML training clusters. These operations cause real, irreversible hardware damage and are gated behind the full DESTROY triple-lock. Proof-of-concept only — execution against systems without written authorisation is illegal under the Computer Misuse Act 1990 and equivalent statutes worldwide.
nvidia-smi -pm 1 enables persistent mode, nvidia-smi -pl [TDP] pins power limit to the GPU's maximum thermal design power. A100 80GB: 400W sustained. H100 SXM5: 700W sustained. Combined with blocked cooling (IPMI fan override), ambient temperature rise causes accelerated electromigration, VRAM degradation, and eventual GPU failure. Mean time to failure: 6–72 hours at max TDP with zero airflow.
IPMI raw 0x30 0x70 0x66 0x01 0x00 0x00 overrides BMC fan control to 0% RPM on Dell/HPE/Supermicro platforms. Disables all chassis cooling. GPU junction temperature rises above 95°C throttle point within minutes. Sustained operation above 85°C degrades HBM2/HBM3 memory cells permanently. Node-level IPMI access gained via harvested BMC credentials or CVE-2023-41915 privilege escalation.
Sequential write loop targeting NVMe training storage exhausts NAND flash P/E cycle endurance. Enterprise NVMe SSDs: 3 DWPD = 3x capacity written per day before warranty failure. Sustained 10 GB/s write load from all cluster nodes simultaneously depletes 3.84 TB NVMe (Samsung PM9A3/Intel P5520) in under 8 hours. Filesystem becomes read-only at endurance limit. Training data and checkpoints unrecoverable.
Cluster worm propagation confirmed: Ray num_cpus=0 job, Slurm srun all-node, or Kubernetes DaemonSet has reached all nodes in the training cluster. Full cluster compromise from single entry point. All nodes executing attacker payload. DESTROY gate required.
Realtime gradient injection confirmed during active training run: adversarial gradients written to shared parameter server or filesystem mount corrupt model convergence. Training run must be aborted and restarted from a pre-compromise checkpoint. DESTROY gate required.
Model checkpoint exfiltration confirmed: training checkpoints, fine-tuned weights, or production model artifacts extracted from MLflow registry or training filesystem. Proprietary model IP stolen. INJECT gate — does not require DESTROY.
Training infrastructure root compromise confirmed: Slurm CVE-2023-41915 privilege escalation or Kubernetes cluster-admin RBAC achieved. Attacker controls the scheduling and execution plane for all ML training workloads. DESTROY gate required for cluster-wide propagation.
ML pipeline backdoor confirmed: poisoned model registered as production in MLflow model registry, survives model validation pipeline. All subsequent inference from the poisoned model serves attacker-controlled outputs. MLflow CVE-2024-1483 path traversal enables artifact store write. INJECT gate.