CVE-2025-23360

High

Published: 11 March 2025

Published

11 March 2025

Modified

23 September 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

EPSS Score 0.0014 34.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23360 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Nvidia Nemo. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 34.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely installation of patches provided in the NVIDIA security advisory to remediate the path traversal flaw.

SI-10 Information Input Validation good match

prevent

Prevents relative path traversal exploitation by enforcing validation of file write inputs to block directory traversal sequences like '../'.

SI-7 Software, Firmware, and Information Integrity good match

preventdetect

Detects and prevents code execution and data tampering by verifying integrity of critical files and software modified via arbitrary writes.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Relative path traversal enabling arbitrary file write directly facilitates exploitation for client execution and data tampering in the vulnerable framework.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

NVIDIA Nemo Framework contains a vulnerability where a user could cause a relative path traversal issue by arbitrary file write. A successful exploit of this vulnerability may lead to code execution and data tampering.

Deeper analysisAI

CVE-2025-23360 is a relative path traversal vulnerability in the NVIDIA Nemo Framework, stemming from arbitrary file write functionality (CWE-23). Published on 2025-03-11, it carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H), indicating high impact on integrity and availability with no confidentiality impact.

A local attacker requires no privileges but must induce user interaction to exploit the issue. By leveraging the arbitrary file write with relative path traversal, the attacker can achieve code execution and data tampering on the affected system.

The NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5623 provides details on mitigation and available patches.

Details

CWE(s): CWE-23

Affected Products

nvidia

nemo

≤ 24.12

CVEs Like This One

CVE-2025-23303Same product: Apple Macos

CVE-2025-23304Same product: Apple Macos

CVE-2026-5860Same product: Apple Macos

CVE-2026-7349Same product: Apple Macos

CVE-2026-0902Same product: Apple Macos

CVE-2026-3923Same product: Apple Macos

CVE-2025-11756Same product: Apple Macos

CVE-2026-3921Same product: Apple Macos

CVE-2025-8578Same product: Apple Macos

CVE-2026-5915Same product: Apple Macos

References

https://nvidia.custhelp.com/app/answers/detail/a_id/5623
Vendor Advisory · psirt@nvidia.com