CVE-2025-33222

Critical

Published: 23 December 2025

Published

23 December 2025

Modified

15 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0017 37.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

NVIDIA Isaac Launchable contains a vulnerability where an attacker could exploit a hard-coded credential issue. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, denial of service, and data tampering.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Authenticator Management prohibits hard-coded credentials and enforces proper establishment and management of authenticators, directly preventing exploitation of CVE-2025-33222.

SI-2 Flaw Remediation good match

preventrecover

Flaw Remediation requires timely identification, reporting, and correction of the hard-coded credential flaw in NVIDIA Isaac Launchable via patches or updates.

AC-2 Account Management partial match

prevent

Account Management allows for the creation, review, modification, disabling, or removal of accounts tied to hard-coded credentials, limiting unauthorized access.

Security SummaryAI

CVE-2025-33222 is a critical vulnerability in NVIDIA Isaac Launchable stemming from a hard-coded credential issue, classified under CWE-798 (Use of Hard-coded Credentials). Published on 2025-12-23, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low attack complexity, and lack of prerequisites for exploitation.

The vulnerability enables remote attackers with no required privileges or user interaction to exploit the hard-coded credentials in NVIDIA Isaac Launchable. Successful exploitation could result in arbitrary code execution, privilege escalation, denial of service, and data tampering, potentially compromising the affected system's confidentiality, integrity, and availability.

Mitigation details are available in official advisories, including NVIDIA's security bulletin at https://nvidia.custhelp.com/app/answers/detail/a_id/5749, the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-33222, and the CVE record at https://www.cve.org/CVERecord?id=CVE-2025-33222. Security practitioners should consult these sources for patch availability, workarounds, and updated guidance.

Details

CWE(s): CWE-798

Affected Products

nvidia

isaac launchable

1.0

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Hard-coded credentials enable use of default/valid accounts (T1078.001) for remote unauthenticated initial access via public-facing application exploitation (T1190), leading directly to arbitrary code execution and privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://nvd.nist.gov/vuln/detail/CVE-2025-33222
US Government Resource · psirt@nvidia.com
https://nvidia.custhelp.com/app/answers/detail/a_id/5749
Vendor Advisory · psirt@nvidia.com
https://www.cve.org/CVERecord?id=CVE-2025-33222
Third Party Advisory · psirt@nvidia.com