CVE-2025-33181
Published: 24 February 2026
Summary
CVE-2025-33181 is a high-severity Command Injection (CWE-77) vulnerability in Nvidia Cumulus Linux. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-33181 is a command injection vulnerability (CWE-77) in the NVUE interface of NVIDIA Cumulus Linux and NVOS products. It enables a low-privileged user to inject commands, which could lead to escalation of privileges. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H) and was published on 2026-02-24.
A low-privileged local user can exploit this vulnerability with low complexity and requires user interaction. Successful exploitation might allow the attacker to escalate privileges, resulting in high impacts to confidentiality, integrity, and availability.
Mitigation details are available in the NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5722, along with further information in the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-33181 and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33181.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208098
Vulnerability details
NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection (CWE-77) in local NVUE interface directly enables Unix shell command execution and exploitation for privilege escalation from low-privileged user.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks the command injection (CWE-77) in the NVUE interface by validating untrusted user input before it is processed.
Limits the initial privileges of the low-privileged user so that even a successful injection cannot achieve the observed high-impact escalation.
Enforces the intended access-control policy on NVUE operations, preventing the injected commands from bypassing authorization checks.