CVE-2025-33246
Received Received - Intake
Command Injection in NVIDIA NeMo ASR Evaluator Enables Code Execution

Publication date: 2026-02-18

Last updated on: 2026-02-20

Assigner: NVIDIA Corporation

Description
NVIDIA NeMo Framework for all platforms contains a vulnerability in the ASR Evaluator utility, where a user could cause a command injection by supplying crafted input to a configuration parameter. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, or information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-33246
EUVD
EUVD-2025-207815
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nvidia nemo to 2.6.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-33246 is a vulnerability in the NVIDIA NeMo Framework affecting all platforms, specifically within the ASR Evaluator utility.

The flaw arises from improper neutralization of special elements in a configuration parameter, allowing an attacker to supply crafted input that leads to command injection (CWE-77).

Exploiting this vulnerability can result in arbitrary code execution, privilege escalation, data tampering, or information disclosure.

Impact Analysis

A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, or information disclosure.

  • Arbitrary code execution allows attackers to run malicious code on the affected system.
  • Privilege escalation enables attackers to gain higher access rights than intended.
  • Data tampering can compromise the integrity of data.
  • Information disclosure can expose sensitive information.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves command injection through a crafted input to a configuration parameter in the NVIDIA NeMo Framework's ASR Evaluator utility. Detection would require inspecting the configuration parameters for suspicious or unexpected input that could lead to command injection."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires local access and low privileges, detection commands could include searching for unusual or malformed configuration files or parameters related to the ASR Evaluator utility.'}, {'type': 'list_item', 'content': 'Use commands like \'grep\' to search for suspicious input patterns in configuration files, for example: grep -r --color=auto ";" /path/to/nemo/config/'}, {'type': 'list_item', 'content': 'Check running processes or logs for unexpected command executions related to the ASR Evaluator utility.'}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting local access to the NVIDIA NeMo Framework, especially the ASR Evaluator utility, to trusted users only.

Review and sanitize all configuration parameters to ensure they do not contain crafted inputs that could lead to command injection.

Apply any available patches or updates provided by NVIDIA addressing this vulnerability.

Monitor system logs and behavior for signs of exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-33246. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart