NVIDIA has released security updates addressing two critical code injection vulnerabilities in its Isaac-GR00T robotics software platform.
The flaws could allow attackers with local system access to execute arbitrary code, escalate privileges, and tamper with sensitive data, potentially compromising robotic systems and their underlying infrastructure.
The vulnerabilities, tracked as CVE-2025-33183 and CVE-2025-33184, affect all versions of NVIDIA Isaac-GR00T across all supported platforms.
| CVE ID | CVSS Score | Severity | Impacts |
|---|---|---|---|
| CVE-2025-33183 | 7.8 | High | Code execution, escalation of privileges, information disclosure, data tampering |
| CVE-2025-33184 | 7.8 | High | Code execution, escalation of privileges, information disclosure, data tampering |
Both issues stem from improper handling of user inputs in Python components, enabling attackers to inject malicious code into the system without user interaction.
Understanding the Threat
An attacker with local access and low-level privileges could exploit these flaws to execute arbitrary commands, gaining elevated system permissions.
The vulnerability chain could lead to unauthorized access to sensitive information, system compromise, and manipulation of robotic operations.
With a CVSS score of 7.8, both vulnerabilities carry a High severity rating, reflecting their significant security impact.
The exploitation requires local access to the target system, meaning attackers must already have a foothold within the network or device.
However, once this prerequisite is met, no further user interaction is required for successful exploitation, making these vulnerabilities particularly dangerous in shared computing environments or on compromised systems.
NVIDIA recommends users immediately apply the security patch available through GitHub commit 7f53666 of the Isaac-GR00T repository.
The update addresses the root cause of both vulnerabilities and should be deployed across all systems running the affected software.
Organizations using Isaac-GR00T in production environments should prioritize testing and deployment of the security patch.
System administrators should verify that their installations are running code branches that include the critical security commit and consider implementing network segmentation to limit local access to robotics systems.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.