OWASP_LLM_TOP10LLM03:2025voice-validated
OWASP_LLM_TOP10 LLM03: LLM03:2025
OWASP_LLM_TOP10
AL
Founder at SQUR · last verified 2026-06-20
Regulation text
LLM supply chains are vulnerable to integrity failures, particularly in training data, models, and deployment platforms. Risks include compromised pretrained models, poisoned fine-tuning data, malicious adapters or LoRA components, vulnerable open-weight repositories, and lack of provenance verification. Includes risks from third-party model hubs, marketplaces, and software dependencies.
ATT&CK techniques this article tests · 15
| Technique | Why it maps | Confidence |
|---|---|---|
| T1195.001 | 1. Malicious adapters and LoRA components represent a compromise of software dependencies. 2. This technique directly addresses the integrity of third-party software within the LLM supply chain, as outlined in LLM03:2025. | 90% |
| T1195.002 | 1. Compromised pretrained models and vulnerable open-weight repositories are direct examples of compromised software supply chains. 2. LLM03:2025 explicitly highlights these as key integrity risks. | 90% |
| T1565.001 | 1. Poisoned fine-tuning data directly manipulates stored data to alter model behavior. 2. LLM03:2025 identifies this as a critical integrity failure within the LLM supply chain. | 85% |
| T1068 | 1. Vulnerabilities in deployment platforms can be exploited to gain higher privileges. 2. This aligns with LLM03:2025's concern for deployment platform integrity. | 80% |
| T1547.001 | 1. Malicious components, once introduced via a compromised supply chain, can establish persistence. 2. This ensures continued unauthorized access or influence over the LLM system, impacting its integrity. | 75% |
| T1562.001 | 1. A compromised model or platform component might disable or modify security tools. 2. This action evades defenses, allowing further integrity breaches as described in LLM03:2025. | 70% |
| T1082 | 1. A malicious component within the LLM supply chain may perform system information discovery. 2. This reconnaissance helps attackers understand the environment for further exploitation, undermining system integrity. | 65% |
| T1083 | 1. Malicious code introduced through a compromised supply chain might discover sensitive files. 2. This includes training data or other models, directly impacting the integrity and confidentiality of LLM assets. | 65% |
| T1005 | 1. A compromised LLM or its platform can collect sensitive data from the local system. 2. This directly relates to the integrity and confidentiality risks highlighted by LLM03:2025 regarding data handling. | 70% |
| T1041 | 1. Data collected by a compromised LLM component can be exfiltrated over a command and control channel. 2. This represents a significant integrity and confidentiality breach, as per LLM03:2025. | 70% |
| T1105 | 1. A compromised LLM deployment platform or model can download additional malicious tools. 2. This ingress tool transfer further compromises the system's integrity, as warned by LLM03:2025. | 70% |
| T1485 | 1. A malicious model or component can be designed to destroy data. 2. This directly impacts the integrity and availability of LLM assets and training data, a core concern of LLM03:2025. | 80% |
| T1490 | 1. A compromised deployment platform or model could inhibit system recovery mechanisms. 2. This prevents restoration of integrity after an attack, aligning with the risks in LLM03:2025. | 75% |
| T1021.001 | 1. A compromised LLM deployment platform could be used to move laterally within the network. 2. This expands the impact of the initial supply chain compromise, affecting broader system integrity. | 60% |
| T1059.003 | 1. Malicious code embedded in a compromised model or platform could execute commands via the Windows Command Shell. 2. This allows arbitrary code execution, directly undermining the integrity of the LLM system. | 65% |
Defending mitigations · 7
| Mitigation | What it does | Confidence |
|---|---|---|
| M1050 | 1. Implementing robust software supply chain security directly addresses compromised models, data, and dependencies. 2. This mitigation is central to preventing the integrity failures described in LLM03:2025. | 95% |
| M1047 | 1. Regular auditing helps detect integrity failures, unauthorized changes, and lack of provenance verification. 2. This directly supports the identification of risks from LLM03:2025. | 85% |
| M1038 | 1. Filtering network content can prevent the download of malicious components or exfiltration of sensitive data. 2. This protects against external threats impacting LLM supply chain integrity, as per LLM03:2025. | 80% |
| M1018 | 1. Effective user account management limits access to critical LLM components, training data, and deployment platforms. 2. This reduces the attack surface for integrity compromises outlined in LLM03:2025. | 75% |
| M1051 | 1. Timely software updates patch vulnerabilities in deployment platforms and dependencies. 2. This directly mitigates risks from vulnerable components, as highlighted in LLM03:2025. | 80% |
| M1030 | 1. Network segmentation isolates LLM environments, limiting the impact of a supply chain compromise. 2. This reduces the blast radius of integrity failures mentioned in LLM03:2025. | 70% |
| M1021 | 1. Restricting web-based content prevents access to untrusted model hubs and marketplaces. 2. This directly addresses risks from third-party sources, a key concern of LLM03:2025. | 70% |
Underlying weaknesses · 7
| CWE | Why it persists | Confidence |
|---|---|---|
| CWE-829 | 1. The inclusion of compromised pretrained models or malicious adapters represents functionality from an untrusted control sphere. 2. LLM03:2025 directly addresses this risk in the LLM supply chain. | 90% |
| CWE-494 | 1. Lack of provenance verification for models and components leads to downloading code without integrity checks. 2. This is a core vulnerability identified by LLM03:2025 regarding supply chain integrity. | 85% |
| CWE-502 | 1. Malicious data or model components, if deserialized without proper validation, can lead to code execution. 2. This directly relates to the integrity failures in models and data mentioned in LLM03:2025. | 80% |
| CWE-913 | 1. Vulnerable open-weight repositories and dynamic loading of components demonstrate improper control of dynamically-managed code resources. 2. This contributes to integrity risks in LLM03:2025. | 75% |
| CWE-1301 | 1. Failure to validate standard components or data indicates an improperly implemented security check. 2. This directly contributes to integrity failures in the LLM supply chain, as per LLM03:2025. | 70% |
| CWE-1303 | 1. Risks from third-party model hubs and marketplaces stem from improperly implemented security checks for third-party components. 2. LLM03:2025 explicitly highlights these external dependencies as integrity risks. | 80% |
| CWE-20 | 1. Poisoned fine-tuning data is a direct result of improper input validation. 2. This weakness leads to integrity failures in models, a key concern of LLM03:2025. | 85% |
What SQUR Covers
Web application + API pentesting for OWASP Top 10, business logic flaws, authentication bypass, injection attacks, and other application-layer vulnerabilities. €1,995 per scan, 24-hour turnaround, EU-only data.
What SQUR Does Not Cover
Internal network pentesting, endpoint security testing, physical security assessments, social engineering, or ICT third-party concentration risk reviews. Engage a complementary provider for those scope items.
Provenance
Mapped Q2.2026 using gemini-2.5-flash · €0.0199 compute · voice-rubric self-validated