“`html
NVIDIA has revealed two severe code injection vulnerabilities impacting its Isaac-GR00T robotics framework.
The vulnerabilities, identified as CVE-2025-33183 and CVE-2025-33184, are present within Python modules and may enable authenticated attackers to execute arbitrary code, elevate privileges, and modify system data.
The defects present a major risk to enterprises implementing NVIDIA’s robotics solutions in industrial automation, research laboratories, and autonomous systems.
These vulnerabilities have a significant CVSS score of 7.8, indicating critical security issues that necessitate prompt action.
Details of Vulnerability
The code injection vulnerabilities affect every version of NVIDIA Isaac-GR00T N1.5 across all systems.
An attacker with local access and minimal privileges could take advantage of these vulnerabilities without any user interaction, potentially obtaining complete control over the system.
| CVE ID | Description | CVSS Score | CWE | Attack Vector |
|---|---|---|---|---|
| CVE-2025-33183 | Code injection in Python module facilitating arbitrary code execution | 7.8 | CWE-94 | Local/Low Privilege |
| CVE-2025-33184 | Code injection in Python module facilitating arbitrary code execution | 7.8 | CWE-94 | Local/Low Privilege |
Successful exploitation could lead to unauthorized code execution, privilege elevation, information exposure, and data alteration, jeopardizing the integrity of essential robotic operations.
Both vulnerabilities originate from inadequate management of user-supplied input in Python components, classified under CWE-94 (Improper Control of Generation of Code).
This flaw has historically been exploited in various attacks targeting interpreted code environments.
NVIDIA has launched a software update that addresses both vulnerabilities. The fix is accessible via GitHub commit 7f53666 of the Isaac-GR00T repository.
Organizations utilizing Isaac-GR00T should urgently update to any code branch that includes this specific commit to close the attack vector.
System administrators are encouraged to prioritize the deployment of the security update across all installations of Isaac-GR00T.
Considering the high severity rating and the potential for critical system compromise, NVIDIA advises treating this as an urgent priority.
Organizations that are unable to patch immediately should restrict local access to vulnerable systems and monitor for unusual activity.
NVIDIA’s Product Security Incident Response Team (PSIRT) is actively monitoring for exploitation attempts.
The vulnerabilities were responsibly reported by Peter Girnus of Trend Micro Zero Day Initiative, underscoring the significance of coordinated vulnerability research.
For more in-depth information, visit NVIDIA’s Product Security page to access complete Security alerts and sign up for future vulnerability updates.
“`