There is a DLL hijacking vulnerability due to an uncontrolled search path that exists in NI LabVIEW. This vulnerability may result in arbitrary code execution. Successful exploitation requires an attacker to insert a malicious DLL into the uncontrolled search path. This vulnerability affects NI LabVIEW 2025 Q1 and prior versions.
This vulnerability is identified as CVE-2025-2630.
NI strongly recommends upgrading the affected software to mitigate these vulnerabilities. Refer to the Affected Products section for information on upgrading these products.
For deployed LabVIEW applications, users should also patch their LabVIEW Run-Time Engine.
CVE-2025-2630 – 7.3 - CVSS:3.1 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE-2025-2630 – 7.0 - CVSS:4.0 AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank Mike Palafox from BLOOMY® for reporting this issue and working with us on coordinated disclosure.
Product Version | Mitigation |
---|---|
LabVIEW 2025 | Upgrade to LabVIEW 2025 Q1 Patch 2 or later from NI Package Manager or Software Downloads |
LabVIEW 2024 | Upgrade to LabVIEW 2024 Q3 Patch 3 or later from NI Package Manager or Software Downloads |
LabVIEW 2023 | Upgrade to LabVIEW 2023 Q3 Patch 6 or later from NI Package Manager or Software Downloads |
LabVIEW 2022 | Upgrade to LabVIEW 2022 Q3 Patch 5 or later from NI Package Manager or Software Downloads |
LabVIEW 2021 and prior | Not in Mainstream Support |