National Instruments LabVIEW

Plan PatchCVSS 7.8ICS-CERT ICSA-24-345-04Dec 10, 2024

National Instruments

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

National Instruments LabVIEW contains an out-of-bounds read vulnerability (CWE-125) that could allow an attacker to disclose information or execute arbitrary code. The vulnerability affects LabVIEW 2024 (up to Q3 24.3f0), 2023 (all versions), and 2022 (all versions). LabVIEW 2021 and prior are end-of-life with no patch planned. Exploitation requires local access and user interaction.

What this means

What could happen

An attacker with local access to a LabVIEW development machine could read sensitive data or run arbitrary code, potentially compromising instrument control logic, test configurations, or intellectual property stored on engineering workstations.

Who's at risk

This affects organizations that use National Instruments LabVIEW for instrument control, data acquisition, or industrial automation development. Primary concern is engineering workstations and development machines used to build and deploy control systems for water treatment, power distribution, or other critical infrastructure. LabVIEW 2021 and earlier systems cannot be patched and should be retired or air-gapped if still in use.

How it could be exploited

An attacker with local access to a LabVIEW system could trigger the out-of-bounds read by opening a malicious file or project with user interaction, leading to information disclosure or arbitrary code execution on the engineering workstation. This could compromise control systems development or data on machines used to build and deploy industrial applications.

Prerequisites

Local access to the LabVIEW system
User interaction required (e.g., opening a malicious file or project)
Vulnerable LabVIEW version installed (2024 up to Q3 24.3f0, 2023 all versions, or 2022 all versions)

Local access requiredUser interaction requiredLow complexity exploitationEnd-of-life product variant with no patch available (LabVIEW 2021 and earlier)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

LabVIEW 2024: <=Q3_24.3f0≤ Q3 24.3f0Q3 Patch 2+

LabVIEW 2023: vers:all/*All versionsQ3 Patch 5+

LabVIEW 2022: vers:all/*All versionsQ3 Patch 4+

LabVIEW 2021 (EOL) and below: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGRestrict local access to LabVIEW development machines to authorized engineering personnel only

WORKAROUNDEducate users not to open untrusted LabVIEW files or projects from unknown sources

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate LabVIEW 2024 to Q3 Patch 2 or later

HOTFIXUpdate LabVIEW 2023 to Q3 Patch 5 or later

HOTFIXUpdate LabVIEW 2022 to Q3 Patch 4 or later

Mitigations - no patch available

0/1

LabVIEW 2021 (EOL) and below: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate LabVIEW development and engineering workstations from operational control networks using network segmentation

CVEs (3)

CVE-2024-10494 CVE-2024-10495 CVE-2024-10496

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/40bf0c7e-83b4-48d5-95ff-e817d608a9b3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.