CVE-2025-23355 Overview
NVIDIA Nsight Graphics for Windows contains a DLL hijacking vulnerability in the ngfx component. An attacker with local access can place a malicious Dynamic-Link Library (DLL) in a location searched by the application, causing the trusted process to load attacker-controlled code. Successful exploitation can lead to arbitrary code execution, privilege escalation, data tampering, and denial of service. The flaw is tracked under CWE-427: Uncontrolled Search Path Element and requires user interaction to trigger the vulnerable load path.
Critical Impact
Local attackers can execute arbitrary code in the context of NVIDIA Nsight Graphics, enabling privilege escalation and persistent compromise of developer workstations.
Affected Products
- NVIDIA Nsight Graphics for Windows (ngfx component)
- Microsoft Windows host platforms running Nsight Graphics
- Developer workstations using NVIDIA graphics debugging tooling
Discovery Timeline
- 2025-10-01 - CVE-2025-23355 published to the National Vulnerability Database
- 2025-10-22 - Last updated in NVD database
- Vendor advisory - Published in NVIDIA Security Bulletin (Answer ID 5704)
Technical Details for CVE-2025-23355
Vulnerability Analysis
The vulnerability is a classic DLL hijacking flaw within the ngfx component of NVIDIA Nsight Graphics. When the application launches, it loads one or more DLLs without using a fully qualified path or without restricting the DLL search order. Windows then follows its standard library search sequence, which includes the application's working directory and other locations writable by the user. An attacker who can place a crafted DLL in such a location causes the legitimate Nsight process to map and execute the attacker's code. Because the exploit chain requires the victim to launch Nsight Graphics, the vulnerability is classified as local with user interaction. Once loaded, the malicious DLL runs with the privileges of the invoking user, which on developer machines frequently includes administrative rights.
Root Cause
The root cause is an uncontrolled search path element [CWE-427]. The ngfx component resolves dependent libraries through Windows' default search order rather than enforcing a hardened load policy such as LOAD_LIBRARY_SEARCH_SYSTEM32 or explicit absolute paths. This allows planted DLLs in user-writable directories to be loaded before or instead of the intended system libraries.
Attack Vector
An attacker stages a malicious DLL with a filename matching a library that Nsight Graphics attempts to load. Common delivery methods include archives containing both a project file and the rogue DLL, shared network folders, or compromised download directories. When the user opens the project or launches Nsight from that directory, the DLL is loaded and the attacker's DllMain executes. No network access or authentication is required, and the attacker inherits the user's session privileges.
No public proof-of-concept code is currently available. Refer to the NVIDIA Security Bulletin for vendor-supplied technical context.
Detection Methods for CVE-2025-23355
Indicators of Compromise
- Unexpected DLL files located in directories alongside Nsight Graphics project files or shortcut targets
- Nsight Graphics processes loading modules from user profile paths such as C:\Users\<user>\Downloads\ or %TEMP%
- Child processes spawned by ngfx.exe or related binaries that do not match normal developer tool behavior
Detection Strategies
- Monitor image-load events (Sysmon Event ID 7) where the parent process is an Nsight Graphics binary and the loaded DLL resides outside Program Files or System32
- Apply application allowlisting rules that flag unsigned or untrusted DLLs loaded by NVIDIA developer tools
- Hunt for archive extractions that drop both .exe or .ngfx project files and DLLs into the same user-writable directory
Monitoring Recommendations
- Enable PowerShell and command-line logging on developer workstations to capture lateral movement following code execution
- Forward image-load telemetry and module signing data to a centralized SIEM for correlation across endpoints
- Baseline normal DLL load behavior for Nsight Graphics and alert on deviations involving non-NVIDIA signed modules
How to Mitigate CVE-2025-23355
Immediate Actions Required
- Update NVIDIA Nsight Graphics to the fixed version identified in the NVIDIA Security Bulletin (Answer ID 5704)
- Restrict launching Nsight Graphics from untrusted directories such as Downloads, network shares, or extracted archives
- Audit endpoints for unexpected DLL files in directories that contain Nsight project files or shortcuts
Patch Information
NVIDIA has released updated installers addressing the ngfx DLL search path issue. Administrators should consult the NVIDIA Support Answer 5704 for fixed version numbers and deploy through standard software management workflows. Verify installer signatures and confirm the upgrade on every developer workstation running the affected product.
Workarounds
- Launch Nsight Graphics only from its installation directory under Program Files and avoid double-clicking project files from untrusted locations
- Apply Windows AppLocker or Windows Defender Application Control policies to block unsigned DLLs from loading into NVIDIA developer tools
- Remove write permissions for standard users on directories that contain Nsight Graphics binaries or shared project files
# Example AppLocker DLL rule (PowerShell) to restrict unsigned DLL loads in user directories
New-AppLockerPolicy -RuleType Dll -User Everyone -Action Deny `
-FilePath "%OSDRIVE%\Users\*\Downloads\*.dll" `
-Description "Block DLL loads from Downloads to mitigate CVE-2025-23355"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
