Impact
The vulnerability in NVIDIA NeMo Framework is a code injection flaw that can allow an attacker to execute arbitrary code, potentially escalating privileges, divulging confidential information, or tampering with data. The flaw potentially permits inserting malicious code into the execution context of the framework, leading to compromise of confidentiality, integrity, and availability as outlined by CWE-94. Based on the description, it is inferred that the attack vector could be a remote code injection through unsanitized input or configuration, although the precise path is not specified in the CVE data.
Affected Systems
NVIDIA NeMo Framework across all platforms is affected. The CVE does not enumerate specific affected versions, so any installed instance of the NeMo Framework, regardless of version, should be considered at risk unless a later release explicitly states otherwise.
Risk and Exploitability
The CVSS score of 7.8 indicates a High severity impact. The EPSS score of less than 1% suggests exploitation likelihood is currently very low, and the vulnerability is not listed in the CISA KEV catalog. The likely attack path involves remote code injection leveraging untrusted inputs into the framework; exploiting this flaw would grant an attacker the ability to run arbitrary code with the privileges of the NeMo process. Given the absence of an available exploit in the public domain and the low EPSS rating, the immediate risk is moderate, but the potential consequences warrant prompt remediation.
OpenCVE Enrichment