An pressing safety replace for its DGX Spark AI workstation after discovering 14 vulnerabilities within the system’s firmware that would permit attackers to execute malicious code and launch denial-of-service assaults.
Essentially the most extreme flaw has a CVSS rating of 9.3 and impacts all DGX Spark units operating variations earlier than the brand new OTA0 replace.
The vulnerabilities reside in a number of firmware elements of the DGX Spark GB10, together with SROOT, OSROOT, and {hardware} useful resource controls.
NVIDIA’s Offensive Safety Analysis workforce recognized these flaws, which expose the AI workstation to critical safety dangers.
Attackers with native entry can exploit these weaknesses to bypass safety protections, modify {hardware} controls, and achieve unauthorized entry to protected areas of the system-on-chip.
The important vulnerability, tracked as CVE-2025-33187, permits attackers with privileged entry to breach SoC-protected areas.
CVE IDBase ScoreCWEPotential ImpactsCVE-2025-331879.3CWE-269Code execution, info disclosure, knowledge tampering, denial of service, escalation of privilegesCVE-2025-331888.0CWE-269Information disclosure, knowledge tampering, denial of serviceCVE-2025-331897.8CWE-787Code execution, knowledge tampering, denial of service, info disclosure, escalation of privilegesCVE-2025-331906.7CWE-787Code execution, knowledge tampering, denial of service, escalation of privilegesCVE-2025-331915.7CWE-20Denial of serviceCVE-2025-331925.7CWE-690Code execution, denial of service, info disclosureCVE-2025-331935.7CWE-354Code execution, denial of service, info disclosureCVE-2025-331945.7CWE-180Information disclosure, denial of serviceCVE-2025-331954.4CWE-119Data tampering, denial of service, escalation of privilegesCVE-2025-331964.4CWE-226Information disclosureCVE-2025-331974.3CWE-476Code execution, denial of serviceCVE-2025-331983.3CWE-226Information disclosureCVE-2025-331993.2CWE-670Data tamperingCVE-2025-332002.3CWE-226Information disclosure
Probably resulting in code execution, knowledge theft, system manipulation, denial-of-service assaults, or privilege escalation. This flaw requires quick consideration attributable to its important severity ranking and complete influence on system integrity.
All NVIDIA DGX Spark methods operating variations earlier than OTA0 are susceptible. The safety replace addresses all 14 CVEs concurrently.
NVIDIA urges prospects to obtain and set up the most recent DGX OS model instantly from the official NVIDIA DGX web site.
Customers also can go to the NVIDIA Product Safety web page to subscribe to safety bulletins and report potential safety points. The vulnerabilities primarily require native entry to take advantage of, although some might be triggered with out privileges.
Organizations utilizing DGX Spark workstations for AI growth and machine studying workloads ought to prioritize this replace to stop potential compromise of delicate AI fashions and coaching knowledge.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
