PatchSiren cyber security CVE debrief
CVE-2025-64464 NI CVE debrief
National Instruments LabVIEW contains an out-of-bounds read vulnerability in the lvre!VisaWriteFromFile() function that triggers when opening a corrupted VI (Virtual Instrument) file. The vulnerability, published 2025-12-18, carries a CVSS 3.1 score of 7.8 (HIGH severity). Successful exploitation requires user interaction—specifically, convincing a victim to open a maliciously crafted VI file. The impact spans information disclosure to arbitrary code execution. CISA issued advisory ICSA-25-352-03 on the same date as CVE publication. National Instruments has released patched versions for supported LabVIEW releases (2022 through 2025); LabVIEW 2021 is no longer in mainstream support and does not receive fixes.
- Vendor
- NI
- Product
- LabVIEW
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-18
- Original CVE updated
- 2025-12-18
- Advisory published
- 2025-12-18
- Advisory updated
- 2025-12-18
Who should care
Organizations running National Instruments LabVIEW in engineering, test, measurement, and industrial automation environments. This includes manufacturing facilities, research laboratories, aerospace/defense contractors, and academic institutions using LabVIEW for data acquisition and control systems. Security teams in OT/ICS environments should prioritize patching due to the potential for code execution in systems that may interface with physical processes.
Technical summary
The vulnerability exists in the lvre!VisaWriteFromFile() function within LabVIEW's runtime engine. When processing a malformed or corrupted VI file, improper bounds checking leads to an out-of-bounds read condition. This memory safety defect can be leveraged to leak sensitive information from process memory or achieve arbitrary code execution under the context of the LabVIEW process. The attack vector is local (AV:L) with low attack complexity (AC:L), requiring no privileges (PR:N) but mandating user interaction (UI:R) to open the malicious file. The confidentiality, integrity, and availability impacts are all rated HIGH.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade LabVIEW 2025 to Q3 Patch 3 or later via NI Package Manager or Software Downloads
- Upgrade LabVIEW 2024 to Q3 Patch 5 or later via NI Package Manager or Software Downloads
- Upgrade LabVIEW 2023 to Q3 Patch 8 or later via NI Package Manager or Software Downloads
- Upgrade LabVIEW 2022 to Q3 Patch 7 or later via NI Package Manager or Software Downloads
- Migrate from LabVIEW 2021 to a supported version (2021 is no longer in mainstream support)
- Train users to recognize and avoid opening untrusted VI files from unknown sources
- Implement application whitelisting and endpoint protection to block execution of untrusted LabVIEW files
- Review CISA ICS recommended practices for defense-in-depth strategies in OT environments
Evidence notes
CVE description and CISA CSAF advisory ICSA-25-352-03 both published 2025-12-18. CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H confirmed in source. Vendor fix details extracted from CSAF remediations section.
Official resources
-
CVE-2025-64464 CVE record
CVE.org
-
CVE-2025-64464 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-18