CVE-2025-2632: 
LabVIEW vulnerability analysis and mitigation

Out of bounds write vulnerability (CVE-2025-2632) exists in NI LabVIEW due to improper bounds checking when reading CPU info from cache. The vulnerability affects NI LabVIEW 2025 Q1 and prior versions, and may result in information disclosure or arbitrary code execution. The vulnerability was discovered by Michael Heinzl and was disclosed on April 9, 2025 (NI Security, CISA).

The vulnerability is classified as an out-of-bounds write (CWE-787) vulnerability. It has received a CVSS v3.1 base score of 7.8 (High) with vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 score of 8.5 (High) with vector string AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. Successful exploitation requires user interaction to open a specially crafted VI file (NI Security, CISA).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code on affected installations of LabVIEW or cause invalid memory writes. The vulnerability affects critical manufacturing sectors worldwide (CISA).

National Instruments has released patches for affected versions: LabVIEW 2025 users should upgrade to LabVIEW 2025 Q1 Patch 2 or later, LabVIEW 2024 users should upgrade to 2024 Q3 Patch 3 or later, LabVIEW 2023 users should upgrade to 2023 Q3 Patch 6 or later, and LabVIEW 2022 users should upgrade to 2022 Q3 Patch 5 or later. CISA recommends minimizing network exposure for control system devices, ensuring they are not accessible from the Internet, and using secure methods like VPNs when remote access is required (NI Security, CISA).