CVE-2025-23242
Published: 11 March 2025
Summary
CVE-2025-23242 is a high-severity Improper Access Control (CWE-284) vulnerability in Nvidia Riva. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly enforces approved access authorizations to prevent improper access control bypasses leading to privilege escalation, data tampering, DoS, or information disclosure.
Remediates the specific improper access control flaw in NVIDIA Riva through identification, reporting, and patching as recommended in the vendor advisory.
Limits the scope and impact of privilege escalation resulting from the access control bypass by enforcing least privilege principles.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Network-accessible improper access control vulnerability with no auth required directly enables exploitation of public-facing applications (T1190) and can be used for privilege escalation (T1068) as explicitly described in the impacts.
NVD Description
NVIDIA Riva contains a vulnerability where a user could cause an improper access control issue. A successful exploit of this vulnerability might lead to escalation of privileges, data tampering, denial of service, or information disclosure.
Deeper analysisAI
CVE-2025-23242 is an improper access control vulnerability (CWE-284) in NVIDIA Riva. The issue allows a user to bypass access controls, potentially leading to escalation of privileges, data tampering, denial of service, or information disclosure. It carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and low attack complexity.
Attackers with network access to a vulnerable NVIDIA Riva instance can exploit this without requiring privileges or user interaction. Successful exploitation could enable privilege escalation on the system, arbitrary data tampering affecting integrity, denial of service impacting availability, or unauthorized disclosure of sensitive information.
NVIDIA has published a security advisory with mitigation guidance at https://nvidia.custhelp.com/app/answers/detail/a_id/5625. Security practitioners should consult this bulletin for details on patches, workarounds, or configuration changes to address the vulnerability.
Details
- CWE(s)