CVE-2025-33210

Critical

Published: 16 December 2025

Published

16 December 2025

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0020 42.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

NVIDIA Isaac Lab contains a deserialization vulnerability. A successful exploit of this vulnerability might lead to code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the deserialization vulnerability by requiring timely identification, reporting, and correction of the specific flaw in NVIDIA Isaac Lab.

SI-10 Information Input Validation good match

prevent

Prevents exploitation of the deserialization vulnerability by validating and filtering untrusted network inputs before deserialization to block malicious payloads.

SI-16 Memory Protection good match

prevent

Mitigates arbitrary code execution resulting from successful deserialization by implementing memory protections such as DEP and ASLR.

Security SummaryAI

CVE-2025-33210 is a deserialization vulnerability (CWE-502) affecting NVIDIA Isaac Lab. A successful exploit of this vulnerability might lead to code execution. The issue has a CVSS v3.1 base score of 9.0, with the vector AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H, indicating network accessibility, low attack complexity, low privileges required, user interaction needed, changed scope, and high impacts across confidentiality, integrity, and availability. It was published on 2025-12-16.

An attacker with low privileges can exploit this vulnerability over the network with low complexity, though it requires user interaction. Upon successful exploitation, the attacker can achieve arbitrary code execution, resulting in high-impact compromise of the affected system.

Advisories providing further details and potential mitigations are available from the NVIDIA security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5733, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-33210, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33210.

Details

CWE(s): CWE-502

Affected Products

nvidia

isaac lab

≤ 2.3.0

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Deserialization vulnerability (CWE-502) in NVIDIA Isaac Lab leads to arbitrary code execution with network access, low privileges, and user interaction, directly facilitating exploitation of client software vulnerabilities.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://nvd.nist.gov/vuln/detail/CVE-2025-33210
US Government Resource, VDB Entry · psirt@nvidia.com
https://nvidia.custhelp.com/app/answers/detail/a_id/5733
Patch, Vendor Advisory · psirt@nvidia.com
https://www.cve.org/CVERecord?id=CVE-2025-33210
Third Party Advisory · psirt@nvidia.com