Cyber Resilience

CVE-2025-33180

High

Published: 24 February 2026

Published
24 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0076 50.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-33180 is a high-severity Command Injection (CWE-77) vulnerability in Nvidia Cumulus Linux. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 49.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-33180 is a command injection vulnerability (CWE-77) in the NVUE interface of NVIDIA Cumulus Linux and NVOS products. Published on 2026-02-24, it carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The flaw allows a low-privileged user to inject a command, which could lead to escalation of privileges.

An attacker requires adjacent network (AV:A) access and low privileges (PR:L) to exploit this with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), primarily manifesting as privilege escalation from the injected command.

Mitigation details are available in the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5722, along with further analysis on the NVD page at https://nvd.nist.gov/vuln/detail/CVE-2025-33180 and CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33180.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection allows arbitrary Unix shell command execution (T1059.004), enabling privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-33181Same product: Nvidia Cumulus Linux
CVE-2025-33179Same product: Nvidia Cumulus Linux
CVE-2025-33249Same vendor: Nvidia
CVE-2025-33246Same vendor: Nvidia
CVE-2025-22472Shared CWE-77
CVE-2026-24192Same vendor: Nvidia
CVE-2026-40061Shared CWE-77
CVE-2026-8632Shared CWE-77
CVE-2025-22473Shared CWE-77
CVE-2026-24194Same vendor: Nvidia

Affected Assets

nvidia
cumulus linux
≤ 5.14.0 · 5.9.0 — 5.9.4 · 5.11.0 — 5.11.4
nvidia
nvos
≤ 25.02.2452 · ≤ 25.02.4282 · ≤ 25.02.5030

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection vulnerabilities like this one by validating all inputs to the NVUE interface.

prevent

Enforces least privilege to restrict low-privileged users from accessing the NVUE interface or performing actions that could lead to escalation.

prevent

Enforces access control policies to block unauthorized command execution by low-privileged users through the NVUE interface.

References