CVE-2025-33208

High

Published: 03 December 2025

Published

03 December 2025

Modified

30 January 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0007 21.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33208 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Nvidia Tao Toolkit. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 21.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Path Interception by Search Order Hijacking (T1574.008) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the uncontrolled search path vulnerability in NVIDIA TAO through timely patching and flaw correction as provided by the vendor.

SI-7 Software, Firmware, and Information Integrity good match

prevent

Verifies the integrity of software and firmware components loaded by the system, preventing execution of malicious resources from uncontrolled search paths.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on processes, limiting the scope of privilege escalation, data tampering, and other impacts even if a malicious resource is loaded.

MITRE ATT&CK Enterprise TechniquesAI

T1574.008 Path Interception by Search Order Hijacking Stealth

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

CVE-2025-33208 (CWE-427: Uncontrolled Search Path) directly enables path interception by search order hijacking (T1574.008) for code execution via malicious resource loading, and facilitates privilege escalation (T1068) as described.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

NVIDIA TAO contains a vulnerability where an attacker may cause a resource to be loaded via an uncontrolled search path. A successful exploit of this vulnerability may lead to escalation of privileges, data tampering, denial of service, information disclosure.

Deeper analysisAI

CVE-2025-33208 is a vulnerability in NVIDIA TAO that enables an attacker to cause a resource to be loaded via an uncontrolled search path, corresponding to CWE-427. Published on 2025-12-03, it has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, no required privileges, and user interaction needed.

A remote attacker without privileges can exploit this vulnerability by tricking a user into interacting with a malicious input, such as executing a crafted file or script. Successful exploitation may result in escalation of privileges, data tampering, denial of service, or information disclosure, with high impacts across confidentiality, integrity, and availability.

Mitigation details are available in the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5730, along with further analysis on the NVD page at https://nvd.nist.gov/vuln/detail/CVE-2025-33208 and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33208.