CVE-2025-64465 National Instruments CVE debrief

Who should care

Organizations using National Instruments LabVIEW for test, measurement, and control applications, particularly in industrial and research environments where VI files may be shared between users or obtained from external sources. Security teams in OT/ICS environments should prioritize patching due to potential for code execution in engineering workstations.

Technical summary

The vulnerability exists in the lvre!DataSizeTDR() function within LabVIEW's runtime engine. When processing a corrupted VI file, improper bounds checking leads to an out-of-bounds read condition. This memory safety defect can be leveraged to disclose sensitive information from process memory or achieve arbitrary code execution under the context of the LabVIEW process. The attack requires local access with user interaction (opening a malicious file), but no privileges are required to trigger the vulnerability.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade LabVIEW 2025 installations to Q3 Patch 3 or later
• Upgrade LabVIEW 2024 installations to Q3 Patch 5 or later
• Upgrade LabVIEW 2023 installations to Q3 Patch 8 or later
• Upgrade LabVIEW 2022 installations to Q3 Patch 7 or later
• Migrate from LabVIEW 2021 to a supported release version as it is no longer in mainstream support
• Implement application whitelisting to restrict execution of untrusted VI files
• Train users to recognize and avoid opening VI files from untrusted sources
• Apply principle of least privilege to LabVIEW processes to limit impact of potential exploitation

Evidence notes

Vulnerability details sourced from CISA CSAF advisory ICSA-25-352-03. CVSS vector confirms local attack vector with user interaction required. Vendor fix information explicitly lists patch versions per supported release year.

Official resources