There is a DLL hijacking vulnerability due to an uncontrolled search path that exists in NI LabVIEW when loading NI Error Reporting. This vulnerability may result in arbitrary code execution. Successful exploitation requires an attacker to insert a malicious DLL into the uncontrolled search path. This vulnerability affects NI LabVIEW 2025 Q1 and prior versions.
This vulnerability is identified as CVE-2025-2629.
NI strongly recommends upgrading the affected software to mitigate these vulnerabilities. Refer to the Affected Products section for information on upgrading these products. If upgrading is not possible, this issue can be mitigated by disabling NI Error Reporting.
CVE-2025-2629 – 7.3 - CVSS:3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2025-2629 – 7.0 - CVSS:4.0 AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank Mike Palafox from BLOOMY® for reporting this issue and working with us on coordinated disclosure.
Product Version | Mitigation |
---|---|
LabVIEW 2025 | Upgrade to LabVIEW 2025 Q1 Patch 2 or later from NI Package Manager or Software Downloads |
LabVIEW 2024 | Upgrade to LabVIEW 2024 Q3 Patch 3 or later from NI Package Manager or Software Downloads |
LabVIEW 2023 | Upgrade to LabVIEW 2023 Q3 Patch 6 or later from NI Package Manager or Software Downloads |
LabVIEW 2022 | Upgrade to LabVIEW 2022 Q3 Patch 5 or later from NI Package Manager or Software Downloads |
LabVIEW 2021 and prior | Not in Mainstream Support |