CVE-2025-23360

High

Published: 11 March 2025

Published

11 March 2025

Modified

23 September 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

EPSS Score 0.0014 34.2th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may exploit software vulnerabilities in client applications to execute code.

Security Summary

CVE-2025-23360 is a relative path traversal vulnerability in the NVIDIA Nemo Framework, stemming from arbitrary file write functionality (CWE-23). Published on 2025-03-11, it carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H), indicating high impact on integrity and availability with no confidentiality impact.

A local attacker requires no privileges but must induce user interaction to exploit the issue. By leveraging the arbitrary file write with relative path traversal, the attacker can achieve code execution and data tampering on the affected system.

The NVIDIA security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5623 provides details on mitigation and available patches.

Details

CWE(s): CWE-23

Affected Products

nvidia

nemo

≤ 24.12

MITRE ATT&CK Enterprise Techniques

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Relative path traversal enabling arbitrary file write directly facilitates exploitation for client execution and data tampering in the vulnerable framework.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://nvidia.custhelp.com/app/answers/detail/a_id/5623
Vendor Advisory · psirt@nvidia.com