CVE-2025-2630: 
LabVIEW vulnerability analysis and mitigation

A DLL hijacking vulnerability (CVE-2025-2630) was discovered in NI LabVIEW due to an uncontrolled search path. The vulnerability was disclosed on April 9, 2025, affecting NI LabVIEW 2025 Q1 and prior versions. This security flaw could potentially allow arbitrary code execution if an attacker successfully inserts a malicious DLL into the uncontrolled search path (NI Security).

The vulnerability is classified as an Uncontrolled Search Path Element (CWE-427) issue. It has received a CVSS v3.1 base score of 7.3 (High) with the vector string AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 score of 7.0 (High) with the vector string AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD).

If successfully exploited, this vulnerability could lead to arbitrary code execution on affected systems. The high CVSS scores indicate significant potential impact on system confidentiality, integrity, and availability when exploited (NI Security).

NI has released patches to address this vulnerability. Users are strongly recommended to upgrade to LabVIEW 2025 Q1 Patch 2 or later, LabVIEW 2024 Q3 Patch 3 or later, LabVIEW 2023 Q3 Patch 6 or later, or LabVIEW 2022 Q3 Patch 5 or later. For deployed LabVIEW applications, users should also patch their LabVIEW Run-Time Engine (NI Security).

The vulnerability was responsibly disclosed by Mike Palafox from BLOOMY®, who worked with NI on coordinated disclosure (NI Security).