Relative Path Traversal Vulnerability in NI System Web Server

Updated Dec 11, 2025

Overview

There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure. Successful exploitation requires an attacker to send a specially crafted request to the NI System Web Server, allowing the attacker to read arbitrary files. This vulnerability existed in NI System Web Server 2012 and prior versions. It was fixed in 2013.

This vulnerability is identified as CVE-2025-12097.

The NI System Web Server is a component installed with several NI products, including LabVIEW.

Mitigation Guidance
Affected Products
CVSS Score
Further Information
Additional Resources

Mitigation Guidance

NI strongly recommends upgrading the affected software to mitigate these vulnerabilities.  Refer to the Affected Products section for information on upgrading these products. 

In addition, NI offers the following general defense-in-depth recommendations:

Avoid exposing systems directly to the Internet
Place network connected systems behind a firewall or implement other compensating controls
When remote access is required, use a secure access method such as a virtual private network (VPN).

Affected Products

CVSS Score

CVE-2025-12097 – 7.5 - CVSS:3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2025-12097 – 8.7 - CVSS:4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.

Additional Resources

CVE-2025-12097 – National Vulnerability Database
CWE-23 – Relative Path Traversal

Product Version	Mitigation
LabVIEW 2009-2012	Upgrade to LabVIEW 2013 or later in NI Package Manager or from Software Downloads

Was this information helpful?

Yes