DLL Hijacking Vulnerability in NI LabVIEW When Loading NI Error Reporting

Overview

There is a DLL hijacking vulnerability due to an uncontrolled search path that exists in NI LabVIEW when loading NI Error Reporting.  This vulnerability may result in arbitrary code execution.  Successful exploitation requires an attacker to insert a malicious DLL into the uncontrolled search path.  This vulnerability affects NI LabVIEW 2025 Q1 and prior versions.

 

This vulnerability is identified as CVE-2025-2629

Contents

Mitigation Guidance

NI strongly recommends upgrading the affected software to mitigate these vulnerabilities.  Refer to the Affected Products section for information on upgrading these products.  If upgrading is not possible, this issue can be mitigated by disabling NI Error Reporting.

Affected Products

 

CVSS Score

CVE-2025-2629 – 7.3 - CVSS:3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H 
CVE-2025-2629 – 7.0 - CVSS:4.0 AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

Acknowledgements

NI would like to thank Mike Palafox from BLOOMY® for reporting this issue and working with us on coordinated disclosure.

Additional Resources

Product VersionMitigation
LabVIEW 2025Upgrade to LabVIEW 2025 Q1 Patch 2 or later from NI Package Manager or Software Downloads
LabVIEW 2024Upgrade to LabVIEW 2024 Q3 Patch 3 or later from NI Package Manager or Software Downloads  
LabVIEW 2023Upgrade to LabVIEW 2023 Q3 Patch 6 or later from NI Package Manager or Software Downloads   
LabVIEW 2022Upgrade to LabVIEW 2022 Q3 Patch 5 or later from NI Package Manager or Software Downloads  
LabVIEW 2021 and priorNot in Mainstream Support

Was this information helpful?

Yes

No