PatchSiren cyber security CVE debrief
CVE-2025-64467 National Instruments CVE debrief
National Instruments LabVIEW contains an out-of-bounds read vulnerability in the LVResFile::FindRsrcListEntry() function that triggers when opening a corrupted VI (Virtual Instrument) file. The vulnerability, published December 18, 2025, carries a CVSS 3.1 score of 7.8 (HIGH severity). Successful exploitation requires user interaction—specifically, convincing a victim to open a maliciously crafted VI file. The impact scope includes potential information disclosure and arbitrary code execution. The vulnerability affects multiple LabVIEW versions, with patches available for supported releases. LabVIEW 2021 is noted as not being in mainstream support and lacks a vendor fix.
- Vendor
- National Instruments
- Product
- LabVIEW
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-18
- Original CVE updated
- 2025-12-18
- Advisory published
- 2025-12-18
- Advisory updated
- 2025-12-18
Who should care
Organizations using National Instruments LabVIEW in engineering, test, measurement, and industrial automation environments. This includes manufacturing facilities, research laboratories, aerospace/defense contractors, and academic institutions relying on LabVIEW for data acquisition and control systems. Security teams should prioritize patching due to the high severity rating and potential for code execution in environments where LabVIEW processes may have access to sensitive operational technology networks.
Technical summary
The vulnerability exists in the LVResFile::FindRsrcListEntry() function within LabVIEW's resource file handling code. When processing a corrupted VI file, improper bounds checking leads to an out-of-bounds read condition. This memory safety defect can be leveraged to disclose sensitive information from process memory or achieve arbitrary code execution under the context of the LabVIEW process. The attack requires local access with user interaction (opening a malicious VI), with no privileges required. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates high impacts across confidentiality, integrity, and availability dimensions.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade LabVIEW 2025 to Q3 Patch 3 or later via NI Package Manager or Software Downloads
- Upgrade LabVIEW 2024 to Q3 Patch 5 or later via NI Package Manager or Software Downloads
- Upgrade LabVIEW 2023 to Q3 Patch 8 or later via NI Package Manager or Software Downloads
- Upgrade LabVIEW 2022 to Q3 Patch 7 or later via NI Package Manager or Software Downloads
- For LabVIEW 2021, migrate to a supported version as it is no longer in mainstream support
- Implement user awareness training to reduce risk of social engineering attacks targeting VI file opening
- Apply defense-in-depth strategies per CISA ICS recommended practices
- Restrict execution of untrusted VI files through application whitelisting where feasible
Evidence notes
Vulnerability details sourced from CISA CSAF advisory ICSA-25-352-03. CVSS vector confirms local attack vector with user interaction required. Vendor fix URLs provided in CSAF remediations section.
Official resources
-
CVE-2025-64467 CVE record
CVE.org
-
CVE-2025-64467 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-18