CVE-2025-33222

Critical

Published: 23 December 2025

Published

23 December 2025

Modified

15 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 37.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33222 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Nvidia Isaac Launchable. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 37.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Authenticator Management prohibits hard-coded credentials and enforces proper establishment and management of authenticators, directly preventing exploitation of CVE-2025-33222.

SI-2 Flaw Remediation good match

preventrecover

Flaw Remediation requires timely identification, reporting, and correction of the hard-coded credential flaw in NVIDIA Isaac Launchable via patches or updates.

AC-2 Account Management partial match

prevent

Account Management allows for the creation, review, modification, disabling, or removal of accounts tied to hard-coded credentials, limiting unauthorized access.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Hard-coded credentials enable use of default/valid accounts (T1078.001) for remote unauthenticated initial access via public-facing application exploitation (T1190), leading directly to arbitrary code execution and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

NVIDIA Isaac Launchable contains a vulnerability where an attacker could exploit a hard-coded credential issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and data tampering.

Deeper analysisAI

CVE-2025-33222 is a critical vulnerability in NVIDIA Isaac Launchable stemming from a hard-coded credential issue, classified under CWE-798 (Use of Hard-coded Credentials). Published on 2025-12-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low attack complexity, and lack of prerequisites for exploitation.

The vulnerability enables remote attackers with no required privileges or user interaction to exploit the hard-coded credentials in NVIDIA Isaac Launchable. Successful exploitation could result in arbitrary code execution, privilege escalation, denial of service, and data tampering, potentially compromising the affected system's confidentiality, integrity, and availability.

Mitigation details are available in official advisories, including NVIDIA's security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5749, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-33222, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33222. Security practitioners should consult these sources for patch availability, workarounds, and updated guidance.

Details

CWE(s): CWE-798

Affected Products

nvidia

isaac launchable

1.0

CVEs Like This One

CVE-2025-33223Same product: Nvidia Isaac Launchable

CVE-2025-33243Same vendor: Nvidia

CVE-2026-24148Same vendor: Nvidia

CVE-2026-24157Same vendor: Nvidia

CVE-2026-24164Same vendor: Nvidia

CVE-2026-24159Same vendor: Nvidia

CVE-2025-33240Same vendor: Nvidia

CVE-2025-33179Same vendor: Nvidia

CVE-2025-23268Same vendor: Nvidia

CVE-2025-33246Same vendor: Nvidia

References

https://nvd.nist.gov/vuln/detail/CVE-2025-33222
US Government Resource · psirt@nvidia.com
https://nvidia.custhelp.com/app/answers/detail/a_id/5749
Vendor Advisory · psirt@nvidia.com
https://www.cve.org/CVERecord?id=CVE-2025-33222
Third Party Advisory · psirt@nvidia.com