EXECUTIVE SUMMARY:
A vulnerability has been identified CVE-2025-23358 in the installer component of the NVIDIA App on Windows systems, where an attacker with local access can exploit a search‑path element flaw to inject and execute malicious code with elevated privileges. The weakness arises because the installer improperly loads resources from uncontrolled or unsafe directories, enabling the attacker to replace or spoof dynamic‑link libraries (DLLs) or scripts during installation or update events. If successfully exploited, this elevation of privilege could allow a non‑administrator user to gain full system‑level control, severely the integrity and confidentiality of affected systems. It is strongly advised to apply the provided update and restrict local installer execution to trusted users. The vulnerability has a CVSS score of 8.2.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: