CVE-2025-2634: 
LabVIEW vulnerability analysis and mitigation

Out of bounds read vulnerability (CVE-2025-2634) exists in NI LabVIEW's fontmgr component due to improper bounds checking, which may result in information disclosure or arbitrary code execution. The vulnerability affects NI LabVIEW 2025 Q1 and prior versions. Successful exploitation requires an attacker to get a user to open a specially crafted VI (NVD, CISA).

The vulnerability is classified as CWE-1285 (Improper Validation of Specified Index, Position, or Offset in Input). It has received a CVSS v3.1 base score of 7.8 (HIGH) with vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, and a CVSS v4.0 base score of 7.1 with vector string AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD, NI Security).

If successfully exploited, this vulnerability could lead to information disclosure and arbitrary code execution on affected installations of LabVIEW, potentially resulting in invalid memory reads. The vulnerability affects critical manufacturing sectors worldwide (CISA).

National Instruments has released patches for the affected products. Users are strongly recommended to upgrade to the latest version. CISA recommends minimizing network exposure for control system devices, ensuring they are not accessible from the Internet, locating control system networks behind firewalls, and isolating them from business networks. When remote access is required, secure methods such as VPNs should be used (CISA, NI Security).

The vulnerability was reported by security researcher Michael Heinzl working with CISA, demonstrating coordinated disclosure practices between security researchers and affected vendors (NI Security).