CVE-2025-33233
Published: 20 January 2026
Summary
CVE-2025-33233 is a high-severity Code Injection (CWE-94) vulnerability in Custhelp (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Deeper analysis
CVE-2025-33233 is a code injection vulnerability, classified under CWE-94, affecting NVIDIA Merlin Transformers4Rec across all supported platforms. Published on 2026-01-20, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction. Successful exploitation could lead to arbitrary code execution, privilege escalation, information disclosure, and data tampering.
Advisories providing further details, including potential mitigations and patches, are available from the National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2025-33233, NVIDIA at https://nvidia.custhelp.com/app/answers/detail/a_id/5761, and CVE.org at https://www.cve.org/CVERecord?id=CVE-2025-33233.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3359
Vulnerability details
NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local code injection (CWE-94) directly enables arbitrary code execution via client-side exploitation (T1203) and subsequent privilege escalation (T1068).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the code injection vulnerability by requiring timely identification, reporting, and patching of flaws in NVIDIA Merlin Transformers4Rec.
Prevents code injection attacks by enforcing validation of all information inputs to the vulnerable Transformers4Rec component.
Mitigates arbitrary code execution from successful code injection through memory protection safeguards like DEP and ASLR.