PatchSiren cyber security CVE debrief
CVE-2025-64463 National Instruments CVE debrief
CVE-2025-64463 is a high-severity out-of-bounds read vulnerability in National Instruments LabVIEW, published on December 18, 2025. The flaw exists in the LVResource::DetachResource() function and can be triggered when a user opens a specially crafted, corrupted VI (Virtual Instrument) file. Successful exploitation may result in information disclosure or arbitrary code execution. The vulnerability requires local access and user interaction, with an attack complexity rated as low. National Instruments has released patched versions for supported LabVIEW releases (2022 through 2025), while LabVIEW 2021 is no longer in mainstream support and does not receive fixes. Organizations should prioritize upgrading to the specified patch levels and implement user awareness training to reduce social engineering risks associated with malicious file attachments.
- Vendor
- National Instruments
- Product
- LabVIEW
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-18
- Original CVE updated
- 2025-12-18
- Advisory published
- 2025-12-18
- Advisory updated
- 2025-12-18
Who should care
Organizations using National Instruments LabVIEW in engineering, test, and measurement environments, particularly those in industrial control systems (ICS) and operational technology (OT) contexts where LabVIEW is deployed for data acquisition and automation tasks.
Technical summary
The vulnerability resides in the LVResource::DetachResource() function within LabVIEW's resource handling code. When processing a malformed VI file, insufficient bounds checking leads to an out-of-bounds read condition. This memory safety defect can be leveraged to leak sensitive information from process memory or achieve arbitrary code execution under the context of the LabVIEW process. The attack vector requires social engineering to convince a user to open a malicious VI file, with no privileges required for successful exploitation.
Defensive priority
high
Recommended defensive actions
- Upgrade LabVIEW 2025 to Q3 Patch 3 or later via NI Package Manager
- Upgrade LabVIEW 2024 to Q3 Patch 5 or later via NI Package Manager
- Upgrade LabVIEW 2023 to Q3 Patch 8 or later via NI Package Manager
- Upgrade LabVIEW 2022 to Q3 Patch 7 or later via NI Package Manager
- If running LabVIEW 2021, migrate to a supported version as it is no longer in mainstream support
- Implement user training on recognizing and avoiding suspicious VI file attachments
- Apply defense-in-depth strategies for industrial control systems environments
Evidence notes
Vulnerability details sourced from CISA ICS Advisory ICSA-25-352-03. CVSS 3.1 score of 7.8 (HIGH) confirmed. Vendor fix information and end-of-life status for LabVIEW 2021 obtained from CSAF remediation data.
Official resources
-
CVE-2025-64463 CVE record
CVE.org
-
CVE-2025-64463 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-18