Critical LabVIEW 2025 Vulnerabilities Expose Industrial Control Systems to Code Execution Risk
Executive Summary
In December 2025, multiple critical vulnerabilities (CVE-2025-64461 through CVE-2025-64469) were disclosed in National Instruments LabVIEW, a widely used industrial control software. The flaws, which include out-of-bounds write, out-of-bounds read, use-after-free, and stack-based buffer overflow, enable attackers to execute arbitrary code or exfiltrate information when a user opens a specially crafted VI file. Impacted versions span from LabVIEW 2021 up to 2025 Q3, affecting sectors such as critical manufacturing, defense, IT, and transportation globally. National Instruments released patches addressing these flaws, with older versions receiving limited or no support.
Though there have been no reports of active exploitation, this incident highlights the persistent risk of supply chain and software vulnerabilities in critical ICS environments. Recent trends show a rise in sophisticated attacks leveraging user interaction and file-based exploits, emphasizing the growing need for robust patch management and secure software usage.
Why This Matters Now
LabVIEW’s vulnerabilities underscore urgent risks for critical infrastructure operators reliant on engineering workstations and ICS software. As file-based exploits proliferate and social engineering lures remain effective, rapid patching and layered defenses are essential to prevent potentially catastrophic operational or data impacts.
Attack Path Analysis
The attacker initiated access by delivering a specially crafted malicious VI file to a LabVIEW user, exploiting software vulnerabilities upon user interaction. Once arbitrary code execution was established, the attacker attempted to escalate privileges locally on the compromised system to achieve persistent access. The attacker then sought to move laterally within the internal network, potentially targeting other high-value systems or cloud workloads. To maintain ongoing communication, the attacker may have set up new command and control channels over permitted egress paths. Exfiltration of sensitive data was likely attempted via outbound channels, potentially using encrypted connections or disguised traffic. Ultimately, the attacker sought to disrupt systems, manipulate data, or deploy further malware as their end impact.
Kill Chain Progression
Initial Compromise
Description
The attacker socially engineered a LabVIEW user to open a specially crafted, malicious VI file, resulting in exploitation of out-of-bounds write, use-after-free, or buffer overflows to achieve code execution.
Related CVEs
CVE-2025-64461
CVSS 7.8An out-of-bounds write vulnerability in NI LabVIEW's mgocre_SH_25_3!RevBL() function when parsing a corrupted VI file may result in information disclosure or arbitrary code execution. Exploitation requires user interaction with a specially crafted VI file.
Affected Products:
National Instruments LabVIEW – 2025 Q3 and prior
Exploit Status:
no public exploitCVE-2025-64462
CVSS 7.8An out-of-bounds read vulnerability in NI LabVIEW's LVResFile::RGetMemFileHandle() function when parsing a corrupted VI file may result in information disclosure or arbitrary code execution. Exploitation requires user interaction with a specially crafted VI file.
Affected Products:
National Instruments LabVIEW – 2025 Q3 and prior
Exploit Status:
no public exploitCVE-2025-64463
CVSS 7.8An out-of-bounds read vulnerability in NI LabVIEW's LVResource::DetachResource() function when parsing a corrupted VI file may result in information disclosure or arbitrary code execution. Exploitation requires user interaction with a specially crafted VI file.
Affected Products:
National Instruments LabVIEW – 2025 Q3 and prior
Exploit Status:
no public exploitCVE-2025-64464
CVSS 7.8An out-of-bounds read vulnerability in NI LabVIEW's lvre!VisaWriteFromFile() function when parsing a corrupted VI file may result in information disclosure or arbitrary code execution. Exploitation requires user interaction with a specially crafted VI file.
Affected Products:
National Instruments LabVIEW – 2025 Q3 and prior
Exploit Status:
no public exploitCVE-2025-64465
CVSS 7.8An out-of-bounds read vulnerability in NI LabVIEW's lvre!DataSizeTDR() function when parsing a corrupted VI file may result in information disclosure or arbitrary code execution. Exploitation requires user interaction with a specially crafted VI file.
Affected Products:
National Instruments LabVIEW – 2025 Q3 and prior
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
User Execution: Malicious File
Command and Scripting Interpreter
Exploitation for Privilege Escalation
Exploitation of Remote Services
Exploitation for Client Execution
Deobfuscate/Decode Files or Information
Windows Management Instrumentation
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Security Patches and Updates
Control ID: 6.2.4
NIS2 Directive – Technical and Organizational Measures
Control ID: Art. 21(2)
DORA (EU 2022/2554) – ICT Risk Management – Vulnerability Handling
Control ID: Art. 9(2)(a)
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
CISA Zero Trust Maturity Model (ZTMM) v2.0 – Automated Asset Vulnerability Management
Control ID: Device Pillar: Asset Management
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Defense/Space
Critical infrastructure sector using LabVIEW for weapon systems and aerospace controls faces arbitrary code execution risks from corrupted VI files.
Critical Manufacturing
Manufacturing control systems utilizing LabVIEW vulnerable to information disclosure and code execution through malicious VI file exploitation attacks.
Automotive
Vehicle testing and manufacturing systems using LabVIEW exposed to buffer overflow and use-after-free vulnerabilities enabling arbitrary code execution.
Oil/Energy/Solar/Greentech
Energy sector control systems running LabVIEW face high-severity vulnerabilities allowing attackers to execute code via specially crafted files.
Sources
- National Instruments LabViewhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-352-03Verified
- Multiple Memory Corruption Vulnerabilities in NI LabVIEWhttps://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/multiple-memory-corruption-vulnerabilities-in-ni-labview.htmlVerified
- CVE-2025-64461 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-64461Verified
- CVE-2025-64462 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-64462Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust network segmentation, workload isolation, threat detection, and policy-enforced controls directly mitigate critical attack stages by reducing the blast radius of arbitrary code execution, restricting lateral movement, and controlling egress for command & control or exfiltration. CNSF-aligned controls help ensure only authorized east-west flows and application communications are allowed, making exploitation and data loss significantly more difficult.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection and alerting on anomalous user or endpoint behaviors.
Control: Zero Trust Segmentation
Mitigation: Limits access scope for exploited accounts or applications based on least privilege.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized lateral movement across segmented workloads and network zones.
Control: Cloud Firewall (ACF)
Mitigation: Detects and blocks known command-and-control traffic patterns or egress attempts.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents or alerts on suspicious data exfiltration using policy-based outbound controls.
Centralized traffic observability and fast detection of anomalous or destructive behaviors for rapid incident response.
Impact at a Glance
Affected Business Functions
- Research and Development
- Product Testing
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of proprietary research data and intellectual property.
Recommended Actions
Key Takeaways & Next Steps
- • Apply Zero Trust segmentation to critical LabVIEW and OT workloads to prevent lateral movement and limit blast radius.
- • Deploy egress filtering and policy-based outbound controls to block exploit-driven C2 and unsanctioned data exfiltration.
- • Enable behavioral anomaly and threat detection capabilities to rapidly alert on exploit attempts and abnormal user/process activity.
- • Enforce least-privilege identity and network access via microsegmentation and identity-aware policies to reduce escalation opportunities.
- • Maintain continuous visibility across hybrid and multicloud infrastructure to quickly detect, investigate, and respond to attacks.
