NVIDIA has disclosed two critical code injection vulnerabilities affecting its Isaac-GR00T robotics platform.
The vulnerabilities, tracked as CVE-2025-33183 and CVE-2025-33184, exist within Python components and could allow authenticated attackers to execute arbitrary code, escalate privileges, and alter system data.
The flaws pose a significant threat to organizations deploying NVIDIA’s robotics solutions across industrial automation, research facilities, and autonomous systems.
Both vulnerabilities carry a high CVSS score of 7.8, indicating serious security risks that require immediate remediation.
Vulnerability Details
The code injection issues affect all versions of NVIDIA Isaac-GR00T N1.5 across all platforms.
An attacker with local access and low-level privileges could exploit these vulnerabilities without user interaction, potentially gaining complete system control.
| CVE ID | Description | CVSS Score | CWE | Attack Vector |
|---|---|---|---|---|
| CVE-2025-33183 | Code injection in Python component allowing arbitrary code execution | 7.8 | CWE-94 | Local/Low Privilege |
| CVE-2025-33184 | Code injection in Python component allowing arbitrary code execution | 7.8 | CWE-94 | Local/Low Privilege |
Successful exploitation could result in unauthorized code execution, privilege escalation, information disclosure, and data modification, compromising the integrity of critical robotic operations.
Both vulnerabilities stem from improper handling of user-supplied input in Python components, classified under CWE-94 (Improper Control of Generation of Code).
This weakness has been historically exploited in numerous attacks targeting interpreted code environments.
NVIDIA has released a software update addressing both vulnerabilities. The patch is available through GitHub commit 7f53666 of the Isaac-GR00T repository.
Organizations running Isaac-GR00T should immediately update to any code branch incorporating this specific commit to eliminate the attack surface.
System administrators should prioritize deploying the security update across all Isaac-GR00T deployments.
Given the high severity rating and the potential for critical system compromise, NVIDIA recommends treating this as an urgent priority.
Organizations unable to patch immediately should restrict local access to affected systems and monitor for suspicious activity.
NVIDIA’s Product Security Incident Response Team (PSIRT) continues monitoring for exploitation attempts.
The vulnerabilities were responsibly disclosed by Peter Girnus of Trend Micro Zero Day Initiative, highlighting the importance of coordinated vulnerability research.
For comprehensive information, visit NVIDIA’s Product Security page to access complete Security alerts and subscribe to future vulnerability notifications.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
