A deserialization of untrusted data vulnerability exists in NI DAQExpress that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects DAQExpress 5.1 and all prior versions.
This vulnerability is identified as CVE-2024-12741
Note: This is informational only. At time of disclosure, DAQExpress is EOL and will not receive any updates.
NI DAQExpress is End of Life (EOL) and will not receive any updates.
See How Can I Use My NI DAQ Hardware Without LabVIEW? for alternatives, including the use of NI FlexLogger Lite.
CVE-2024-12741 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank kimiya working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.
| Product Version | Mitigation |
|---|---|
| DAQExpress 5.1 and all prior versions | See Mitigation Guidance |