Before others can find it: Penetration tests and source code analyses make an essential contribution to IT security. For example, if serious security gaps are found and closed as a result. As in this case.
Attackers take over company systems with the help of the "new kid in the customer support"? You don't want to read such headlines and we have made sure that it doesn't happen in the first place. We, that is the Security Testing Team of Deutsche Telekom, and the support’s newcomer is the chatbot in many companies.
They can be found there - but also in more and more areas - and are enjoying increasing popularity. Chatbots help in natural language, are available around the clock and are cheaper than a call center team, for example. Today, they are based on artificial intelligence (AI), which is on everyone's lips right now. But with every new, networked technology, the attack surface of digital technology grows. And the number of possible vulnerabilities that can be used as a door to networked systems is also increasing.
As the Security Testing Team, we found such a solution in a product from Rasa at the beginning of 2025. You can use it to build these popular chatbots. In so-called penetration tests, we first identified this vulnerability in Rasa. Then we sounded out the criticality and determined how far we can go thanks to the vulnerability. In fact, we were even able to take over a system completely. To do this, we have combined techniques from the areas of penetration testing and source code analysis.
When we talk about artificial intelligence in relation to chatbots, we are talking about the large AI language models (LLM). They specialize in finding the right answer to a specific question. In the case of Rasa, the model consists of several parts, each of which is active at different points in a system architecture. Some of these components were vulnerable to the so-called deserialization attack. As a result, attackers who gain access to certain data streams can execute lines of code on the system server.
Rasa allows users to access it remotely via an interface. In this way, it was possible to exchange the model and thus execute code on the server. This is referred to as remote code execution (RCE). This allows an attacker to take over a system completely.
But we didn't just explore the weaknesses of the product. We also thought about how to fix them. By exchanging the functions, the data load from components of the model on the one hand. And on the other hand, by unsing libraries that do not allow deserialization attacks.
From these detailed analyses, the Security Testing Team at Telekom Security has developed a proof of concept (PoC). We immediately made this available to Rasa. As part of the so-called "Responsible Disclosure" principle, we discussed possible solutions with the manufacturer. After Rasa confirmed and fixed the vulnerability, the Security Testing Team verified the effectiveness of the patch. Afterwards, the patches were released by Rasa.
This is an excellent example of how penetration tests and source code analyses make an essential contribution to IT security for everyone. We also carry out penetration tests on behalf of our customers. For example, before the market launch of a product.
More technical details about this vulnerability and a technical description of how it was found and how the PoC was developed can be found here.