CVE-2025-2632 National Instruments CVE debrief

Who should care

Organizations using National Instruments LabVIEW, especially engineering, test, automation, and industrial/OT teams that process untrusted files or external data with LabVIEW installations.

Technical summary

The advisory identifies an out-of-bounds write in LabVIEW 2025 Q1 and prior versions when parsing user-supplied data. The supplied CVSS 3.1 vector is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, which reflects significant impact with user interaction and local conditions in the score. CISA describes the issue as potentially enabling remote code execution and notes that vendor patches are available.

Defensive priority

High. Prioritize patching and exposure review for any LabVIEW deployment that handles external or user-controlled data, because the vulnerability can affect confidentiality, integrity, and availability.

Recommended defensive actions

• Inventory LabVIEW installations and confirm whether any system is running 2025 Q1 or earlier.
• Apply National Instruments patches referenced in the advisory as soon as operationally feasible.
• Treat all user-supplied data processed by LabVIEW as untrusted; validate and restrict inputs where possible.
• Reduce exposure of engineering workstations and OT-connected systems that use LabVIEW, following CISA ICS recommended practices.
• Review segmentation, access control, and least-privilege settings around affected systems.
• Monitor the NI and CISA advisories for any follow-up guidance or updates.

Evidence notes

Primary facts come from CISA’s CSAF advisory ICSA-25-105-06 and the supplied CVE/CVSS metadata. The advisory was initially published on 2025-04-15 and revised on 2025-05-06 to fix typos. The affected range is National Instruments LabVIEW <=2025_Q1, and the remediation section states that patches are available from National Instruments.

Official resources