Cyber Resilience

CVE-2025-33181

High

Published: 24 February 2026

Published
24 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0035 26.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-33181 is a high-severity Command Injection (CWE-77) vulnerability in Nvidia Cumulus Linux. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-33181 is a command injection vulnerability (CWE-77) in the NVUE interface of NVIDIA Cumulus Linux and NVOS products. It enables a low-privileged user to inject commands, which could lead to escalation of privileges. The vulnerability carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H) and was published on 2026-02-24.

A low-privileged local user can exploit this vulnerability with low complexity and requires user interaction. Successful exploitation might allow the attacker to escalate privileges, resulting in high impacts to confidentiality, integrity, and availability.

Mitigation details are available in the NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5722, along with further information in the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-33181 and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33181.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection (CWE-77) in local NVUE interface directly enables Unix shell command execution and exploitation for privilege escalation from low-privileged user.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-33180Same product: Nvidia Cumulus Linux
CVE-2025-33179Same product: Nvidia Cumulus Linux
CVE-2025-33249Same vendor: Nvidia
CVE-2025-33246Same vendor: Nvidia
CVE-2025-22472Shared CWE-77
CVE-2026-24192Same vendor: Nvidia
CVE-2026-40061Shared CWE-77
CVE-2026-8632Shared CWE-77
CVE-2025-22473Shared CWE-77
CVE-2026-24194Same vendor: Nvidia

Affected Assets

nvidia
cumulus linux
≤ 5.14.0 · 5.9.0 — 5.9.4 · 5.11.0 — 5.11.4
nvidia
nvos
≤ 25.02.2452 · ≤ 25.02.4282 · ≤ 25.02.5030

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the command injection (CWE-77) in the NVUE interface by validating untrusted user input before it is processed.

prevent

Limits the initial privileges of the low-privileged user so that even a successful injection cannot achieve the observed high-impact escalation.

prevent

Enforces the intended access-control policy on NVUE operations, preventing the injected commands from bypassing authorization checks.

References