CVE-2025-33250
Published: 18 February 2026
Summary
CVE-2025-33250 is a high-severity Code Injection (CWE-94) vulnerability in Nvidia Nemo. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 31.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation, directly addressing the code injection vulnerability in NVIDIA NeMo Framework through patching as recommended in advisories.
SI-10 requires validation of information inputs, preventing code injection (CWE-94) exploits in the NeMo Framework.
SI-16 implements memory protections to mitigate unauthorized code execution resulting from the local RCE vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-94 code injection directly enables arbitrary Python code execution (T1059.006) via exploitation of the vulnerable application (T1203).
NVD Description
NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.
Deeper analysisAI
CVE-2025-33250 is a code injection vulnerability (CWE-94) in the NVIDIA NeMo Framework that enables an attacker to achieve remote code execution. A successful exploit could result in code execution, denial of service, information disclosure, and data tampering. The vulnerability has a CVSS v3.1 base score of 7.8 (High), with vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access is required alongside low attack complexity and low privileges.
The attack scenario involves a local attacker with low-level privileges who can exploit the vulnerability without user interaction. Upon successful exploitation, the attacker gains high-impact capabilities, including unauthorized code execution, disruption of service availability, exposure of sensitive information, and manipulation of data integrity within the affected NVIDIA NeMo Framework environment.
Mitigation details are available in official advisories, including the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5762, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-33250, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33250. Security practitioners should consult these resources for patch information and recommended remediations. The vulnerability was published on 2026-02-18.
Details
- CWE(s)