CVE-2025-64461
📋 TL;DR
An out-of-bounds write vulnerability in NI LabVIEW's mgocre_SH_25_3!RevBL() function allows attackers to execute arbitrary code or disclose information by tricking users into opening malicious VI files. This affects all NI LabVIEW 2025 Q3 (25.3) and earlier versions. Users who open untrusted VI files are at risk.
💻 Affected Systems
- NI LabVIEW
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with arbitrary code execution leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation or information disclosure from the LabVIEW process memory space.
If Mitigated
No impact if users only open trusted VI files from verified sources.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) and knowledge of VI file structure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: NI LabVIEW 2025 Q4 or later
Restart Required: Yes
Instructions:
1. Download latest NI LabVIEW version from NI website. 2. Run installer with administrative privileges. 3. Follow installation prompts. 4. Restart system after installation completes.
🔧 Temporary Workarounds
Restrict VI file execution
allConfigure application control policies to block execution of untrusted VI files.
User awareness training
allTrain users to only open VI files from trusted sources and verify file integrity.
🧯 If You Can't Patch
- Implement application whitelisting to only allow execution of known-good LabVIEW instances.
- Use network segmentation to isolate LabVIEW systems from critical infrastructure.
🔍 How to Verify
Check if Vulnerable:
Check LabVIEW version via Help > About LabVIEW. If version is 25.3 or earlier, system is vulnerable.Check Version:
On Windows: wmic product where name="LabVIEW" get versionVerify Fix Applied:
Verify LabVIEW version is 2025 Q4 or later after patching.📡 Detection & Monitoring
Log Indicators:
- Unexpected LabVIEW crashes
- Unusual process creation from LabVIEW.exe
Network Indicators:
- Unexpected outbound connections from LabVIEW process
SIEM Query:
process_name="LabVIEW.exe" AND (event_id=1000 OR event_id=1001)