NVIDIA NeMo Framework Vulnerabilities Allows Code Injection and Privilege Escalation

NVIDIA NeMo Framework Vulnerabilities Allows Code Injection and Privilege Escalation

Posted on By CWS

NVIDIA has issued a essential safety replace addressing two high-severity vulnerabilities in its NeMo Framework that might permit attackers to execute malicious code and escalate privileges on affected techniques.

The vulnerabilities, tracked as CVE-2025-23361 and CVE-2025-33178, each carry a CVSS rating of seven.8 and have an effect on all variations of the NeMo Framework earlier than model 2.5.0 throughout all platforms.

NVIDIA NeMo Framework Vulnerabilities

The primary vulnerability, CVE-2025-23361, exists in a framework script, the place malicious enter from an attacker could trigger improper management over code technology.

The second flaw, CVE-2025-33178, resides within the Bert companies element and allows code injection via malicious knowledge.

Each vulnerabilities share the identical assault vector and require native entry with low privileges.

CVE IDDescriptionCVSS ScoreCWECVE-2025-23361Improper management of code technology in framework script7.8CWE-94CVE-2025-33178Code injection in bert companies component7.8CWE-94

Profitable exploitation may lead to code execution, privilege escalation, info disclosure, and knowledge manipulation, posing vital dangers to organizations utilizing the framework.

The vulnerabilities have been found and reported by safety researchers from TencentAISec and NISL lab at Tsinghua College, highlighting the significance of collaborative safety analysis.

All variations of the NVIDIA NeMo Framework earlier than 2.5.0 are susceptible, no matter working system or platform. Organizations utilizing earlier software program department releases are additionally in danger and will improve instantly.

NVIDIA recommends that customers clone or replace to the NeMo Framework model 2.5.0 or later, obtainable from the official NVIDIA GitHub repository and the PyPI package deal supervisor.

The corporate emphasizes that customers on earlier department releases ought to improve to the newest department model.

Organizations ought to assess their particular configurations and apply the safety replace promptly to mitigate potential exploitation dangers.

Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , ,

Related Posts

London Councils’ IT Systems Impacted by CyberAttack, Including Phone Lines London Councils’ IT Systems Impacted by CyberAttack, Including Phone Lines Cyber Security News
EmEditor Editor Website Hacked to Deliver Infostealer Malware in Supply Chain Attack EmEditor Editor Website Hacked to Deliver Infostealer Malware in Supply Chain Attack Cyber Security News
Hackers Poison Google Paid Ads With Fake Tesla Websites to Deliver Malware Hackers Poison Google Paid Ads With Fake Tesla Websites to Deliver Malware Cyber Security News
Xerox FreeFlow Vulnerabilities leads to SSRF and RCE Attacks Xerox FreeFlow Vulnerabilities leads to SSRF and RCE Attacks Cyber Security News
706,000+ BIND 9 Resolver Instances Vulnerable to Cache Poisoning Exposed Online 706,000+ BIND 9 Resolver Instances Vulnerable to Cache Poisoning Exposed Online Cyber Security News
New Gmail Phishing Attack With Weaponized Login Flow Steals Login Credentials New Gmail Phishing Attack With Weaponized Login Flow Steals Login Credentials Cyber Security News