PatchSiren cyber security CVE debrief
CVE-2025-64461 National Instruments CVE debrief
National Instruments LabVIEW contains an out-of-bounds write vulnerability that can be triggered when a user opens a specially crafted VI (Virtual Instrument) file. This memory corruption flaw may allow an attacker to execute arbitrary code with the privileges of the user running LabVIEW. The attack requires local access in the sense that the attacker must convince a user to open a malicious file, but does not require elevated privileges or complex interaction. The vulnerability affects multiple supported versions of LabVIEW from 2022 through 2025, with LabVIEW 2021 noted as no longer in mainstream support. National Instruments has released patched versions for all supported releases.
- Vendor
- National Instruments
- Product
- LabVIEW
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-18
- Original CVE updated
- 2025-12-18
- Advisory published
- 2025-12-18
- Advisory updated
- 2025-12-18
Who should care
Organizations using National Instruments LabVIEW in engineering, test, measurement, and industrial control applications, particularly those in operational technology (OT) environments where LabVIEW is deployed for data acquisition and control systems. Security teams responsible for software supply chain and file-based attack vectors should prioritize patching.
Technical summary
Out-of-bounds write in LabVIEW VI file parsing
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to vendor-provided patched versions: LabVIEW 2025 Q3 Patch 3 or later, LabVIEW 2024 Q3 Patch 5 or later, LabVIEW 2023 Q3 Patch 8 or later, or LabVIEW 2022 Q3 Patch 7 or later via NI Package Manager or Software
- Implement application whitelisting and execution controls to prevent unauthorized LabVIEW file execution
- Train users to recognize and avoid opening untrusted VI files from unknown sources
- Consider network segmentation for systems running LabVIEW in operational technology environments
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
Evidence notes
CVE published 2025-12-18 per CISA CSAF advisory ICSA-25-352-03. CVSS 3.1 score 7.8 (HIGH) with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Attack vector is local, requiring user interaction to open a crafted VI file.
Official resources
-
CVE-2025-64461 CVE record
CVE.org
-
CVE-2025-64461 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-18