Cyber Resilience

CVE-2025-33208

High

Published: 03 December 2025

Published
03 December 2025
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0009 25.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33208 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Nvidia Tao Toolkit. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 25.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2025-33208 is a vulnerability in NVIDIA TAO that enables an attacker to cause a resource to be loaded via an uncontrolled search path, corresponding to CWE-427. Published on 2025-12-03, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, no required privileges, and user interaction needed.

A remote attacker without privileges can exploit this vulnerability by tricking a user into interacting with a malicious input, such as executing a crafted file or script. Successful exploitation may result in escalation of privileges, data tampering, denial of service, or information disclosure, with high impacts across confidentiality, integrity, and availability.

Mitigation details are available in the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5730, along with further analysis on the NVD page at https://nvd.nist.gov/vuln/detail/CVE-2025-33208 and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33208.

EU & UK References

Vulnerability details

NVIDIA TAO contains a vulnerability where an attacker may cause a resource to be loaded via an uncontrolled search path. A successful exploit of this vulnerability may lead to escalation of privileges, data tampering, denial of service, information disclosure.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1574.008 Path Interception by Search Order Hijacking Stealth
Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE-2025-33208 (CWE-427: Uncontrolled Search Path) directly enables path interception by search order hijacking (T1574.008) for code execution via malicious resource loading, and facilitates privilege escalation (T1068) as described.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3888Same product: Canonical Ubuntu Linux
CVE-2026-34054Shared CWE-427
CVE-2024-53977Shared CWE-427
CVE-2025-33229Same vendor: Nvidia
CVE-2025-25003Shared CWE-427
CVE-2026-23741Shared CWE-427
CVE-2026-34632Shared CWE-427
CVE-2026-42171Shared CWE-427
CVE-2026-4134Shared CWE-427
CVE-2026-2361Shared CWE-427

Affected Assets

nvidia
tao toolkit
6.25.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the uncontrolled search path vulnerability in NVIDIA TAO through timely patching and flaw correction as provided by the vendor.

prevent

Verifies the integrity of software and firmware components loaded by the system, preventing execution of malicious resources from uncontrolled search paths.

prevent

Enforces least privilege on processes, limiting the scope of privilege escalation, data tampering, and other impacts even if a malicious resource is loaded.

References