There is a relative file path directory traversal vulnerability in the USI Registration tool for DataPlugins (USIReg.exe) used by NI software that may result in arbitrary code execution. The USI Registration tool is used to install DataPlugins for use by other NI Software. Successful exploitation requires an attacker to get a user to open a specially crafted .uri file.
This vulnerability is identified as CVE-2025-2449.
NI recommends upgrading the affected software to mitigate these vulnerabilities. USIReg.exe is a shared component, so upgrading/installing any one of the listed software will include the fix for all. Refer to the Affected Products section for information on upgrading. These issues are not exploitable remotely.
CVE-2025-2449 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2025-2449 – 8.5 - CVSS:4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
This vulnerability was reported by 06fe5fd2bc53027c4a3b7e395af0b850e7b8a044 working with Trend Micro Zero Day Initiative.
| Product Version | Mitigation |
|---|---|
| NI FlexLogger 2025 Q2 and prior versions | Upgrade to NI FlexLogger 2025 Q3 or later from NI Package Manger or Software Downloads |
| NI LabVIEW 2025 Q1 and prior versions | Upgrade to NI LabVIEW 2025 Q3 or later from NI Package Manager or Software Downloads |
| NI DIAdem 2024 Q4 and prior versions | Upgrade to NI DIAdem 2025 Q2 or later from NI Package Manger or Software Downloads |
| NI SystemLink Server 2025 Q2 and prior versions | Upgrade to NI SystemLink Server 2025 Q3 or later from NI Package Manger or Software Downloads |