無料スキャン
HIGHCVE-2025-23296CVSS 7.8

NVIDIA Isaac-GR00T for all platforms には、Python コンポーネントに脆弱性が存在し、攻撃者がコードインジェクションを引き起こす可能性があります。この脆弱性の悪用により、コード

プラットフォーム

nvidia

コンポーネント

nvidia-isaac-gr00t

修正版

9.0.1

AI Confidence: highNVDEPSS 0.0%レビュー済み: 2026年5月
NVDで見る
保存
あなたの言語に翻訳中…

CVE-2025-23296 describes a code injection vulnerability discovered in NVIDIA Isaac-GR00T, a robotics development platform. Successful exploitation could allow an attacker to execute arbitrary code, potentially leading to significant data compromise and system control. This vulnerability affects all versions of Isaac-GR00T prior to code commit 9ca97e1. A fix is available in version 9ca97e1.

影響と攻撃シナリオ翻訳中…

The code injection vulnerability in NVIDIA Isaac-GR00T allows an attacker to inject and execute malicious code within the Python component. This could lead to a wide range of impacts, including complete system compromise. An attacker could gain unauthorized access to sensitive data, modify system configurations, and potentially establish persistent access. The potential for privilege escalation is significant, as the injected code could be executed with the privileges of the Isaac-GR00T process. Data tampering could corrupt training datasets or deployed models, leading to unpredictable robot behavior. The blast radius extends to any system utilizing vulnerable versions of Isaac-GR00T, particularly those involved in critical robotics applications.

悪用の状況翻訳中…

CVE-2025-23296 was publicly disclosed on 2025-08-13. There is no indication of this vulnerability being actively exploited at this time. The EPSS score is currently pending evaluation. No public proof-of-concept exploits have been published. It is not listed on the CISA KEV catalog.

リスク対象者翻訳中…

Robotics developers and engineers utilizing NVIDIA Isaac-GR00T are at risk. Organizations deploying Isaac-GR00T in production environments, particularly those involving autonomous systems or critical infrastructure, face a heightened risk. Those using older, unpatched versions of Isaac-GR00T are most vulnerable.

検出手順翻訳中…

• windows / supply-chain:

Get-Process | Where-Object {$_.ProcessName -like '*isaac-gr00t*'}

• linux / server:

ps aux | grep isaac-gr00t

• python:

import os
import sys
print(sys.version)

• generic web: Check for unusual file uploads or modifications to Python scripts within the Isaac-GR00T environment.

攻撃タイムライン

  1. Disclosure

    disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出

EPSS

0.04% (10% パーセンタイル)

CISA SSVC

悪用状況none
自動化可能no
技術的影響total

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H7.8HIGHAttack VectorLocal攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredLow攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityHigh不正データ改ざんのリスクAvailabilityHighサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ローカル — システム上のローカルセッションまたはシェルが必要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
低 — 有効なユーザーアカウントがあれば十分。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
高 — 任意のデータの書き込み・変更・削除が可能。
Availability
高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。

影響を受けるソフトウェア

コンポーネントnvidia-isaac-gr00t
ベンダーNVIDIA
影響範囲修正版
All versions that do not include code commit 9ca97e1 – All versions that do not include code commit 9ca97e19.0.1

弱点分類 (CWE)

CWE-94

タイムライン

  1. 予約済み
  2. 公開日
  3. EPSS 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2025-23296 is to upgrade to version 9ca97e1 or later. If immediate upgrading is not feasible, consider implementing strict input validation on any data passed to the vulnerable Python component. This can help prevent malicious code from being injected. Review and restrict access to the Python component to only authorized users and processes. Monitor system logs for any unusual activity or attempts to exploit the vulnerability. While a WAF is unlikely to directly mitigate this code injection, it can help detect and block suspicious requests targeting the vulnerable component. After upgrading, confirm the fix by attempting to trigger the code injection vulnerability with known payloads and verifying that they are blocked.

修正方法翻訳中…

Actualice NVIDIA Isaac-GR00T a la versión que incluye el commit 9ca97e1 o posterior. Esto solucionará la vulnerabilidad de inyección de código. Consulte el advisory de NVIDIA para obtener más detalles e instrucciones específicas.

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2025-23296 — Code Injection in NVIDIA Isaac-GR00T?

CVE-2025-23296 is a code injection vulnerability affecting NVIDIA Isaac-GR00T versions before 9ca97e1. It allows attackers to inject and execute malicious code, potentially leading to system compromise.

Am I affected by CVE-2025-23296 in NVIDIA Isaac-GR00T?

You are affected if you are using NVIDIA Isaac-GR00T versions prior to 9ca97e1. Check your version and upgrade immediately if vulnerable.

How do I fix CVE-2025-23296 in NVIDIA Isaac-GR00T?

Upgrade to version 9ca97e1 or later. Implement input validation as a temporary workaround if upgrading is not immediately possible.

Is CVE-2025-23296 being actively exploited?

There is currently no evidence of active exploitation of CVE-2025-23296.

Where can I find the official NVIDIA advisory for CVE-2025-23296?

Refer to the NVIDIA security bulletin for CVE-2025-23296 on the NVIDIA website (https://www.nvidia.com/en-us/security/).

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索