New Rowhammer Attack Enabled GPUBreach via GDDR6 Bit-Flips to Escalate Privileges
Rowhammer attacks can be exploited to enable privilege escalation
Continue ReadingHardware security
NVIDIA DGX Spark Security Update Fixed 14 Vulnerabilities
Summary : NVIDIA DGX Spark GB10 firmware vulnerabilities including CVE-2025-33187, CVE-2025-33188, CVE-2025-33189 & 11 more CVEs can Execute Malicious Code and DoS Attacks. Systems running DGX OS versions prior to OTA0 are affected. Immediate upgrade to OTA0 is strongly advised.
| OEM | NVIDIA |
| Severity | Critical |
| CVSS Score | 7.5 |
| CVEs | CVE-2025-33187, CVE-2025-33188, CVE-2025-33189 & 11 more CVEs |
| POC Available | No |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
NVIDIA has released a security update addressing 14 vulnerabilities in the NVIDIA DGX Spark firmware, a high-performance AI workstation for machine learning and model training.
These vulnerabilities enable attackers with local access to bypass protections and manipulate firmware and hardware controls. Exploitation could lead to unauthorized code execution, data tampering, system disruption, and exposure of sensitive AI data.
| Vulnerability Name | CVE ID | Product Affected | Severity | CVSS | Fixed Version |
| SoC Access Bypass Vulnerability via SROOT | CVE-2025-33187 | NVIDIA DGX Spark | Critical | 9.3 | OTAO |
| Hardware Control Tampering Vulnerability | CVE-2025-33188 | NVIDIA DGX Spark | High | 8.0 | OTAO |
| Out-of-Bounds Write Vulnerability in SROOT | CVE-2025-33189 | NVIDIA DGX Spark | High | 7.8 | OTAO |
Technical Summary
The NVIDIA DGX Spark GB10 firmware vulnerabilities primarily affect SROOT, OSROOT and hardware controls, enabling local attackers to bypass SoC protections for code execution, data tampering, information disclosure, denial of service and privilege escalation.
Critical flaws like out-of-bounds writes and hardware tampering allow memory corruption and system manipulation, while medium/low issues involve improper input handling, memory reads and resource reuse that risk data leaks or crashes.
All versions prior to OTA0 are vulnerable and security patch released fully addresses these risks.
| CVE ID | Vulnerability Details | Impact |
| CVE-2025-33187 | SROOT vulnerability allows attackers to access SoC-protected memory regions using privileged access | Code execution, privilege escalation |
| CVE-2025-33188 | Hardware controls can be tampered with due to improper authorization enforcement | Information disclosure, DoS |
| CVE-2025-33189 | Out-of-bounds writing in SROOT firmware enables memory corruption | Code execution, privilege escalation |
Other Vulnerabilities:
These other vulnerabilities are medium & low severity issues that may cause data leaks, system errors or minor disruptions.
| Vulnerability Name | CVE ID | Description | Severity | CVSS | Impact |
| Out-of-Bounds Write Vulnerability | CVE-2025-33190 | This vulnerability may allow unintended modification of system data | Medium | 6.7 | Code execution, Privilege escalation |
| Invalid Memory Read vulnerability in OSROOT | CVE-2025-33191 | Error in memory handling can crash system | Medium | 5.7 | Denial of service |
| Arbitrary Memory Read vulnerability | CVE-2025-33192 | Unauthorized access to stored information | Medium | 5.7 | Info disclosure, DoS |
| Integrity Validation Failure vulnerability | CVE-2025-33193 | Firmware integrity checks can be bypassed | Medium | 5.7 | Code execution, info leak |
| Input Processing Issue | CVE-2025-33194 | Faulty input handling reveals internal data | Medium | 5.7 | Info disclosure, DoS |
| Unexpected Buffer Operations | CVE-2025-33195 | Memory mishandling leads to data modification | Medium | 4.4 | Data tampering, DoS |
| Resource Reuse Exposure | CVE-2025-33196 | Reused firmware resources reveal sensitive data | Medium | 4.4 | Information disclosure |
| NULL Pointer Dereference | CVE-2025-33197 | System crashes due to improper pointer handling | Medium | 4.3 | DoS, possible code execution |
| Resource Reuse vulnerability | CVE-2025-33198 | Unintended reuse of resources leaks data | Low | 3.3 | Information disclosure |
| Incorrect Control vulnerability | CVE-2025-33199 | System behavior can be manipulated | Low | 3.2 | Data tampering |
| Resource Reuse vulnerability | CVE-2025-33200 | Data exposure due to resource reuse | Low | 2.3 | Information disclosure |
Remediation:
- Upgrade all NVIDIA DGX Spark systems to DGX OS OTA0 or the latest fixed version.
Conclusion:
The discovery of 14 critical vulnerabilities in the NVIDIA DGX Spark firmware provides a stark reminder that advanced hardware requires strict security practices round the clock.
These vulnerabilities pose a significant security risk to organizations using NVIDIA DGX Spark for AI or ML workloads. If exploited, attackers could gain deep hardware-level access, risk confidential AI datasets, system stability and training integrity. Immediate upgrading to OTA0 to mitigate all the vulnerabilities.
References:
Firmware Vulnerabilities affecting Dell Laptops Could allow attackers to achieve persistent access
A set of vulnerabilities affecting millions of Dell laptops used by government agencies, cybersecurity professionals, and enterprises worldwide. The vulnerability known as “ReVault,” mainly target the Broadcom BCM5820X security chip embedded in Dell’s ControlVault3 firmware.
This subsequently create opportunities for attackers to steal passwords, biometric data, and maintain persistent access to compromised systems.
How does the vulnerability work
Most of the flaws reside in the firmware for ControlVault3 and ControlVault3+, which are hardware security components that store passwords, biometric templates, and security codes.
The lists includes:
- Two out-of-bounds vulnerabilities (CVE-2025-24311, CVE-2025-25050)
- An arbitrary free (CVE-2025-25215) flaw
- A stack-overflow bug (CVE-2025-24922)
- An unsafe-deserialization flaw (CVE-2025-24919)
According to the researchers, the vulnerabilities can be exploited in so-called ReVault attacks by:
- Attackers who have achieved non-administrative access/privileges on a vulnerable target laptop. The vulnerabilities may allow them to interact with the ControlVault firmware and leak key material that would allow them to permanently modify the firmware (i.e., effectively creating a potential backdoor into the system)
- Attackers that have physical access to the laptop. They could pry the device open, use a custom connector to access the Unified Security Hub board (which runs ControlVault) over USB, and exploit those vulnerabilities – all without having to log into the system beforehand or having knowledge of the full-disk encryption password.
“Another interesting consequence of this scenario is that if a system is configured to be unlocked with the user’s fingerprint, it is also possible to tamper with the CV firmware to accept any fingerprint,” as per researchers.
Technical details have not been publicly shared, but they have, of course, been privately reported to Dell and Broadcom.
These are 5 critical vulnerabilities of ReVault found by Cisco Talos researcher
ReVault Attack – Five Critical Vulnerabilities
ControlVault3 and ControlVault3+ systems:
- CVE-2025-24311: An out-of-bounds read vulnerability that enables information leakage
- CVE-2025-25050: An out-of-bounds write flaw allowing code execution
- CVE-2025-25215: An arbitrary memory free vulnerability
- CVE-2025-24922: A stack-based buffer overflow enabling arbitrary code execution
- CVE-2025-24919: An unsafe deserialization flaw in ControlVault’s Windows APIs
Importance of device security posture/Endpoint security
The incident highlight how device posture check is designed to evaluate threat that a device poses to an organization and its systems.
The persistent nature of these attacks represents a significant escalation in firmware-based threats, as the malicious code resides below the operating system level.
Here traditional antivirus solutions cannot detect or remove it. Now sophistication of cyber threats means that organizations need to become more proactive in terms of defense.
The identification and mitigation of a threat early on, via an effective and clearly defined security posture, reduces costs, lessens downtime, and minimizes reputational damage.
Periodic security audits are essential to have a complete check on all the security features of the organization. Such audits identify vulnerabilities in the current security controls and allow for ensuring things align properly with industry standards.
Importance of Endpoint security
End point security detect and prevent security threats like file-based malware attacks among other malicious activities. It also provides investigation and remediation capabilities needed to respond to dynamic security incidents and alerts.
Conclusion:
Protecting against endpoint attacks is challenging for organisation because endpoints exist where humans and machines intersect. With the increasing number of adversaries trying to breach organizations using sophisticated cyberattacks, quickly detecting potential threats will help speed the remediation process and keep data protected.
(Source: https://www.helpnetsecurity.com/2025/08/05/dell-laptops-firmware-vulnerabilities-revault-attacks/)
RCE Risk in D-Link Routers due to Hardcoded Telnet Credentials
Summary A significant security flaw (CVE-2025-46176) has exposed thousands of D-Link routers to remote code execution attacks through hardcoded Telnet credentials embedded in firmware. This is affecting its DIR-605L and DIR-816L routers.
If successful exploitation happens this will enables attackers to modify router configurations, deploy malware, or pivot into internal networks.
| OEM | D-link |
| Severity | Medium |
| CVSS Score | 6.5 |
| CVEs | CVE-2025-46176 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The flaw exposes devices to remote command execution (RCE) through hardcoded Telnet credentials.
The vulnerability has been rated medium in severity (CVSS 6.5), with no official firmware patch available as of May 2025.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Hardcoded Telnet Credentials vulnerability | CVE-2025-46176 | D-Link Router | Medium | No official fix available |
Technical Summary
The vulnerability arises from hardcoded Telnet credentials in the router firmware, which allows unauthenticated remote attackers to execute arbitrary commands.
Firmware analysis revealed embedded credentials in configuration files used during Telnet service initialization.
Security experts recommended retiring these EOL devices due to absence of security support and the impossibility of removing hardcoded credentials through configuration changes.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-46176 | D-Link DIR-605L v2.13B01, DIR-816L v2.06B01 | Telnet service (/usr/sbin/telnetd -l /bin/sh -u Alphanetworks:$image_sign) uses hardcoded credentials from image_sign file, exposing plaintext passwords. | RCE |
Recommendations:
As of May 2025, no firmware updates are available to fix the vulnerability. Recommended temporary mitigations include :
- Disable Telnet access via the router’s web interface.
- Block Telnet port (23) using firewall rules:
“iptables -A INPUT -p tcp –dport 23 -j DROP”
- Restrict WAN access to management interfaces.
- Monitor D-Link’s official support page for firmware updates.
Conclusion:
Security researchers discovered the flaw through firmware analysis, revealing that both router models contain default Telnet credentials that cannot be changed by users.
While exploitation likelihood is currently assessed as low, vulnerability enables unauthenticated attackers to gain control of the routers, affecting confidentiality, integrity and availability.
Immediate mitigation is advised, especially for publicly exposed devices and Security experts strongly recommend retiring these EOL devices due to the absence of security support and the impossibility of removing hardcoded credentials through configuration changes.
Threat from Legacy Devices:
The vulnerability in Telnet revealed security risks that legacy networking equipment carry with them and is embedded hardcoded credentials in IoT devices.
Inadequate security, harboring multiple unpatched vulnerabilities and relying on inadequate security controls that fail to address underlying risks. This poses a threat not only to device itself, but also to the network and connected critical assets.
References:
Recent Comments