CVE-2025-7361: Code Injection Vulnerability in NI LabVIEW
This blog post discusses a recently disclosed code injection vulnerability, CVE-2025-7361, affecting NI LabVIEW. This flaw could allow an attacker to execute arbitrary code on a user's system.
🔍 TL;DR Summary
CVE-2025-7361 is a code injection vulnerability found in 32-bit versions of NI LabVIEW. An attacker can exploit this by tricking a user into opening a maliciously crafted VI (Virtual Instrument) file that utilizes a CIN (Code Interface Node). Successful exploitation leads to arbitrary code execution.
🚨 Vulnerability Details
- CVE ID: CVE-2025-7361
- Description: A code injection vulnerability exists in NI LabVIEW due to an improper initialization check. This can be exploited by convincing a user to open a crafted VI file containing a malicious CIN node.
- CVSS Score and Vector:
- CVSS v3.1 Score: 7.8 (High)
- CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
- CVSS v4.0 Score: 8.5 (High)
- CVSS v4.0 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Explanation: The vulnerability requires local access (AV:L) and a user interaction (UI:R), meaning the attacker needs the victim to open a malicious file. The impact on Confidentiality, Integrity, and Availability (C:H/I:H/A:H) are all high, indicating a significant risk.
- Exploit Requirements: An attacker needs to create a malicious VI file with a specially crafted CIN node and convince a user to open it in a vulnerable version of LabVIEW.
- Affected Vendor, Product, Version: NI LabVIEW 2025 Q1 (32-bit) and prior versions. 64-bit versions are not affected.
- CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection')
Explanation: CWE-94 means the application constructs all or part of the code using external input. If an attacker can control that input, they can inject their own malicious code into the application's execution.
📅 Timeline of Events
- 2025-07-29: Vulnerability publicly disclosed.
🧠 Exploitability & Real-World Risk
The exploitability is relatively straightforward if an attacker can successfully deliver a malicious VI file to a user. Given the nature of LabVIEW applications in industrial control and data acquisition, successful exploitation could have severe consequences, including system compromise, data theft, or disruption of critical processes.
🛠️ Recommendations
- Upgrade: Update to a patched version of NI LabVIEW if available. Consider migrating to a 64-bit version if possible, as it is not affected by this vulnerability.
- Security Awareness: Educate users about the risks of opening files from untrusted sources.
- Input Validation: Although primarily a vendor responsibility, be cautious when incorporating external code or libraries into LabVIEW projects.
🧪 Technical Insight
CIN nodes allow LabVIEW to interface with external code written in languages like C or C++. The vulnerability likely stems from a failure to properly sanitize or validate the code loaded through the CIN node, allowing an attacker to inject arbitrary code during the VI's execution.
🙌 Credit to Researcher(s)
Credit to NI for identifying and disclosing this vulnerability.
🔗 References
🧵 Tags
#NILabVIEW #CodeInjection #RCE #CVE20257361 #SecurityVulnerability #CINNodes
Summary: CVE-2025-7361 is a code injection vulnerability in 32-bit NI LabVIEW. By enticing a user to open a malicious VI file with a crafted CIN node, an attacker can achieve arbitrary code execution. Mitigation involves upgrading LabVIEW and educating users about the risks of untrusted files.
CVE ID: CVE-2025-7361
Risk Analysis: Successful exploitation of this vulnerability could lead to arbitrary code execution on the victim's system, potentially allowing the attacker to steal sensitive data, compromise the system, or disrupt critical operations.
Recommendation: Upgrade to a patched version of NI LabVIEW or migrate to a 64-bit version, which is not affected. Exercise caution when opening VI files from untrusted sources.
Timeline
- 2025-07-29: Vulnerability disclosed.