CVE-2025-33180
Published: 24 February 2026
Description
NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command. A successful exploit of this vulnerability might lead to escalation of privileges.
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection vulnerabilities like this one by validating all inputs to the NVUE interface.
Enforces least privilege to restrict low-privileged users from accessing the NVUE interface or performing actions that could lead to escalation.
Enforces access control policies to block unauthorized command execution by low-privileged users through the NVUE interface.
Security SummaryAI
CVE-2025-33180 is a command injection vulnerability (CWE-77) in the NVUE interface of NVIDIA Cumulus Linux and NVOS products. Published on 2026-02-24, it carries a CVSS v3.1 base score of 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The flaw allows a low-privileged user to inject a command, which could lead to escalation of privileges.
An attacker requires adjacent network (AV:A) access and low privileges (PR:L) to exploit this with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U), primarily manifesting as privilege escalation from the injected command.
Mitigation details are available in the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5722, along with further analysis on the NVD page at https://nvd.nist.gov/vuln/detail/CVE-2025-33180 and CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33180.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection allows arbitrary Unix shell command execution (T1059.004), enabling privilege escalation (T1068).