Multiple NVIDIA Flaws Allow Attackers to Escalate Privileges on Systems


NVIDIA has issued a critical security bulletin revealing multiple vulnerabilities in its NVIDIA App software that can enable attackers to escalate privileges on Windows systems.

The flaws, addressed in the September 2025 update, stem from improper file handling during the installation of Frameview SDK components.

Users of NVIDIA App on Windows 10 and 11 are urged to install version 11.0.5.245 or later immediately to protect their systems.

Overview of the Vulnerabilities

The primary issue, tracked as CVE-2025-23297, resides in the NVIDIA Installer for NvAPP on Windows.

During the Frameview SDK installation process, an unprivileged local user could modify files within the Frameview SDK directory.

Exploiting this flaw allows an attacker to gain elevated privileges, potentially leading to full system compromise.

Key details:

  • An attacker needs only local unprivileged access to execute the exploit.
  • No user interaction is required once local access is achieved.
  • A successful attack can compromise confidentiality, integrity, and availability of the system.
  • NVIDIA credits Dong-uk Kim and JunYoung Park of KAIST Hacking Lab for reporting this issue.

Vulnerability Details

CVE ID Base Score Severity Impact
CVE-2025-23297 7.8 High Escalation of privileges

This security update applies to NVIDIA App running on Windows:

CVE IDs Addressed Product Platform / OS Affected Versions Updated Version
CVE-2025-23297 NVIDIA App Windows 10 / 11 All versions prior to 11.0.5.245 11.0.5.245

Mitigation and Recommendations

To secure systems against these vulnerabilities:

  1. Download and install the latest NVIDIA App update (version 11.0.5.245) from the NVIDIA App site.
  2. Verify installation success by launching NVIDIA App and checking the version in the “About” section.
  3. Subscribe to NVIDIA Product Security bulletins to receive notifications of future updates.
  4. Report any anomalies via the NVIDIA Product Security page to assist the PSIRT team in rapid response.

NVIDIA extends its gratitude to Dong-uk Kim and JunYoung Park of KAIST Hacking Lab for responsibly disclosing CVE-2025-23297.

All NVIDIA materials are provided “as is” without warranties. Specifications are subject to change without notice.

NVIDIA is not liable for third-party patent infringements or system misconfigurations resulting from use of this information.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.