NI LabVIEW Code Injection Vulnerability via CIN Nodes Allowing Arbitrary Code Execution

A code injection vulnerability has been identified in 32-bit NI LabVIEW 2025 Q1 and prior versions. This vulnerability arises from an improper initialization check, allowing for arbitrary code execution. Exploitation requires an attacker to persuade a user to open a specially crafted Virtual Instrument (VI) that includes a Code Interface Node (CIN). Notably, LabVIEW 64-bit versions do not support CIN nodes and are therefore not affected.

Impact

Exploitation of this vulnerability could lead to arbitrary code execution on the affected system.

Remediation

Users are advised to upgrade to LabVIEW 2025 Q3 or later. For those using LabVIEW 2025 Q1, a patch is in progress. After upgrading, users should replace CIN nodes with Call Library Function Nodes (CLFN) for interfacing with external code. If necessary for backwards compatibility, CIN nodes can be re-enabled by modifying the configuration file, although this carries risks.