Experts from the company Wiz have discovered a critical vulnerability in the Nvidia Container Toolkit. According to the researchers, the issue could pose a significant threat to managed cloud AI services.
The vulnerability has been named NvidiaScape and is identified as CVE-2025-23266 (9.0 on the CVSS scale). The issue was first demonstrated by Wiz experts in early 2025 at the Pwn2Own Berlin hacking competition. At that time, the bug and its exploit earned the company’s team a reward of $30,000.
Developers at Nvidia have informed customers about a vulnerability and its patch in a bulletin published last week. According to the manufacturer, this critical vulnerability can lead to privilege escalation, information disclosure, data manipulation, and DoS attacks.
The bug affected all versions of the Nvidia Container Toolkit up to and including 1.17.7 and the Nvidia GPU Operator up to and including 25.3.0. The manufacturer resolved the issue in versions 1.17.8 and 25.3.1, respectively.
Nvidia Container Toolkit is designed for creating and running GPU-accelerated containers and, according to researchers, it is often used by major cloud providers in the operation of managed AI services.
Wiz explains that CVE-2025-23266 is caused by the incorrect configuration of Open Container Initiative (OCI) hooks — mechanisms that allow certain actions to be executed at different stages of a container’s lifecycle. The bug poses the greatest risk to managed AI services in the cloud, where users can run their own containers on shared GPU infrastructure.
This means NvidiaScape can be used by a malicious container to bypass isolation and gain full root access to the host machine. From the host machine, an attacker can steal or manipulate data, as well as impact proprietary AI models of other clients using the same hardware.
Now that the patch has been released, experts have shared technical details of the vulnerability and demonstrated that it can be exploited using a malicious payload and a three-line Dockerfile placed inside the container image.
“This research once again highlights that containers are not a reliable security barrier and should not be relied upon as the sole means of isolation,” warns Wiz. “When developing applications, especially for multi-user environments, vulnerabilities should always be assumed, and at least one reliable isolation barrier, such as virtualization, should be implemented.”
2025.03.07 — YouTube warns of scam video featuring its CEO
According to YouTube, scammers use an AI-generated video of the company's CEO in phishing attacks to steal user credentials. The scammers attack content creators by sending them…
Full article →
2025.03.16 — Researchers force DeepSeek to write malware
According to Tenable, the AI chatbot DeepSeek R1 from China can be used to write malware (e.g. keyloggers and ransomware). DeepSeek was released in January 2025 and caused a stir…
Full article →
2025.02.08 — Hackers exploit RCE vulnerability in Microsoft Outlook
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned Federal Civilian Executive Branch (FCEB) Agencies that they have to secure their systems from ongoing…
Full article →
2025.01.30 — Hackers use vulnerabilities in SimpleHelp RMM to attack corporate networks
Experts believe that recently patched vulnerabilities in SimpleHelp Remote Monitoring and Management (RMM) were used by attackers to gain initial access to corporate networks. A number…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.04.15 — Hackers exploit authentication bypass bug in OttoKit WordPress plugin
Hackers exploit an authentication bypass vulnerability in the OttoKit (formerly SureTriggers) WordPress plugin used by more than 100,000 websites. First attacks were recorded just…
Full article →
2025.02.21 — Microsoft fixes vulnerability in Power Pages exploited by cybercriminals
Microsoft patched a severe privilege escalation vulnerability in Power Pages used by hackers as a 0-day. The vulnerability tracked as CVE-2025-24989 (CVSS score 8.2) pertains…
Full article →
2025.02.28 — Qualcomm extends support for Android devices to 8 years
Qualcomm Technologies announced its collaboration with Google with the purpose to provide extended support for OEM devices running on company's flagship chipsets. This partnership will…
Full article →
2025.02.10 — Failed attempt to block phishing link results in massive Cloudflare outage
According to the incident report released by Cloudflare, an attempt to block a phishing URL on the R2 platform accidentally caused a massive outage; as a result, many Cloudflare…
Full article →