CVE-2025-33246
Command Injection in NVIDIA NeMo ASR Evaluator Enables Code Execution
Publication date: 2026-02-18
Last updated on: 2026-02-20
Assigner: NVIDIA Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nvidia | nemo | to 2.6.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-33246 is a vulnerability in the NVIDIA NeMo Framework affecting all platforms, specifically within the ASR Evaluator utility.
The flaw arises from improper neutralization of special elements in a configuration parameter, allowing an attacker to supply crafted input that leads to command injection (CWE-77).
Exploiting this vulnerability can result in arbitrary code execution, privilege escalation, data tampering, or information disclosure.
How can this vulnerability impact me? :
A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, or information disclosure.
- Arbitrary code execution allows attackers to run malicious code on the affected system.
- Privilege escalation enables attackers to gain higher access rights than intended.
- Data tampering can compromise the integrity of data.
- Information disclosure can expose sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability involves command injection through a crafted input to a configuration parameter in the NVIDIA NeMo Framework's ASR Evaluator utility. Detection would require inspecting the configuration parameters for suspicious or unexpected input that could lead to command injection."}, {'type': 'paragraph', 'content': 'Since the vulnerability requires local access and low privileges, detection commands could include searching for unusual or malformed configuration files or parameters related to the ASR Evaluator utility.'}, {'type': 'list_item', 'content': 'Use commands like \'grep\' to search for suspicious input patterns in configuration files, for example: grep -r --color=auto ";" /path/to/nemo/config/'}, {'type': 'list_item', 'content': 'Check running processes or logs for unexpected command executions related to the ASR Evaluator utility.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting local access to the NVIDIA NeMo Framework, especially the ASR Evaluator utility, to trusted users only.
Review and sanitize all configuration parameters to ensure they do not contain crafted inputs that could lead to command injection.
Apply any available patches or updates provided by NVIDIA addressing this vulnerability.
Monitor system logs and behavior for signs of exploitation attempts.