Cybersecurity Vulnerabilities

CVE-2025-33200: NVIDIA DGX Spark GB10 SROOT Firmware Vulnerability – A Closer Look

November 25, 2025 - By 

Overview

CVE-2025-33200 is a low severity vulnerability discovered in the SROOT firmware of NVIDIA DGX Spark GB10. This flaw allows an attacker to potentially cause a resource to be reused, which could lead to information disclosure. The vulnerability was published on 2025-11-25 and has a CVSS score of 2.3.

Technical Details

The vulnerability stems from improper resource management within the SROOT firmware. Specifically, the flaw enables an attacker to manipulate the system in a way that a previously used resource is reallocated without proper sanitization or clearance of sensitive data. This reuse can expose data from prior operations, leading to information disclosure.

Exploitation of this vulnerability requires local access and an understanding of the system’s internal workings. While the attack complexity is considered high, the potential for information disclosure warrants attention.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) provides a standardized way to assess the severity of vulnerabilities. For CVE-2025-33200, the CVSS score is 2.3 (LOW). This score reflects the following factors:

  • Attack Vector (AV): Local (L)
  • Attack Complexity (AC): High (H)
  • Privileges Required (PR): High (H)
  • User Interaction (UI): None (N)
  • Scope (S): Unchanged (U)
  • Confidentiality Impact (C): Low (L)
  • Integrity Impact (I): None (N)
  • Availability Impact (A): None (N)

The low score is due to the requirement for local access, high attack complexity, and limited impact.

Possible Impact

The successful exploitation of CVE-2025-33200 could lead to the disclosure of sensitive information stored within the reused resource. This information might include configuration data, cryptographic keys, or other confidential data depending on the specific context of the resource reuse. While the impact is limited to information disclosure, the sensitivity of the exposed data could still pose a risk.

Mitigation or Patch Steps

NVIDIA has released a security bulletin addressing this vulnerability. Users of NVIDIA DGX Spark GB10 are strongly advised to apply the recommended firmware update as soon as possible. Follow these steps:

  1. Visit the NVIDIA Customer Support website (see references below).
  2. Download the latest SROOT firmware update for DGX Spark GB10.
  3. Follow the instructions provided by NVIDIA to install the update.
  4. Verify the installation by checking the firmware version.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *