CVE-2025-33242

| EUVD-2025-208971 MEDIUM
2026-03-24 nvidia GHSA-wrfr-265x-gm85
5.9
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 24, 2026 - 20:31 vuln.today
EUVD ID Assigned
Mar 24, 2026 - 20:31 euvd
EUVD-2025-208971
CVE Published
Mar 24, 2026 - 20:22 nvd
MEDIUM 5.9

Tags

Denial Of Service Nvidia

Description

NVIDIA B300 MCU contains a vulnerability in the CX8 MCU that could allow a malicious actor to modify unsupported registries, causing a bad state. A successful exploit of this vulnerability might lead to denial of service and data tampering.

Analysis

This vulnerability in NVIDIA's B300 MCU (specifically the CX8 MCU component) allows privileged attackers with network access to modify unsupported hardware registries, potentially causing denial of service and data tampering. The flaw affects HGX and DGX B300 systems and requires high privileges and non-trivial attack complexity to exploit, though no public exploit code or active exploitation has been reported at this time. SSVC assessment indicates the vulnerability presents partial technical impact with no known automated exploitation capability.

Technical Context

The vulnerability resides in the CX8 MCU (Microcontroller Unit) firmware component integrated into NVIDIA's B300 HGX and DGX accelerator platforms (identified via CPE cpe:2.3:a:nvidia:hgx_and_dgx_b300). The root cause is classified under CWE-1234, which generally relates to improper resource validation or access control mechanisms. The B300 MCU is responsible for managing hardware state, power delivery, and system monitoring; unauthorized registry modifications can corrupt internal state machines, trigger watchdog resets, or corrupt telemetry data. The attack surface is limited to network-accessible MCU management interfaces, typically protected by authentication and accessed through administrative channels.

Affected Products

NVIDIA HGX B300 and DGX B300 systems are affected across all versions according to the CPE identifier cpe:2.3:a:nvidia:hgx_and_dgx_b300:*:*:*:*:*:*:*:*. These are enterprise-grade AI accelerator platforms used in high-performance computing and data center environments. Specific version boundaries are not detailed in available references, suggesting the vulnerability impacts all current and prior firmware versions of the B300 MCU. Organizations running B300-equipped clusters should consult NVIDIA's security advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5768 for precise version information and supported upgrade paths.

Remediation

Apply the security update provided by NVIDIA for the B300 MCU firmware via the vendor advisory at https://nvidia.custhelp.com/app/answers/detail/a_id/5768. Until patching is possible, restrict network access to the MCU management interface to trusted administrative hosts only, implement network segmentation to isolate B300 systems from untrusted subnets, enforce strong authentication and role-based access control on MCU administrative accounts, and monitor MCU logs for unauthorized registry modification attempts. Coordinate patching with your NVIDIA support team to ensure compatibility with your HGX/DGX firmware versions and avoid service interruption.

Priority Score

30
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +30
POC: 0

Share

CVE-2025-33242 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy