Cyber Resilience

CVE-2025-33233

High

Published: 20 January 2026

Published
20 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0004 10.9th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-33233 is a high-severity Code Injection (CWE-94) vulnerability in Custhelp (inferred from references). Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-33233 is a code injection vulnerability, classified under CWE-94, affecting NVIDIA Merlin Transformers4Rec across all supported platforms. Published on 2026-01-20, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high impact on confidentiality, integrity, and availability.

A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction. Successful exploitation could lead to arbitrary code execution, privilege escalation, information disclosure, and data tampering.

Advisories providing further details, including potential mitigations and patches, are available from the National Vulnerability Database at https://nvd.nist.gov/vuln/detail/CVE-2025-33233, NVIDIA at https://nvidia.custhelp.com/app/answers/detail/a_id/5761, and CVE.org at https://www.cve.org/CVERecord?id=CVE-2025-33233.

EU & UK References

Vulnerability details

NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Local code injection (CWE-94) directly enables arbitrary code execution via client-side exploitation (T1203) and subsequent privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-23963Shared CWE-94
CVE-2025-65271Shared CWE-94
CVE-2026-0500Shared CWE-94
CVE-2025-21292Shared CWE-94
CVE-2026-26682Shared CWE-94
CVE-2025-27678Shared CWE-94
CVE-2024-56448Shared CWE-94
CVE-2026-21853Shared CWE-94
CVE-2024-7425Shared CWE-94
CVE-2024-57061Shared CWE-94

Affected Assets

Custhelp
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the code injection vulnerability by requiring timely identification, reporting, and patching of flaws in NVIDIA Merlin Transformers4Rec.

prevent

Prevents code injection attacks by enforcing validation of all information inputs to the vulnerable Transformers4Rec component.

prevent

Mitigates arbitrary code execution from successful code injection through memory protection safeguards like DEP and ASLR.

References