NI’s vision related software uses a third-party library for image processing that exposes several vulnerabilities. These vulnerabilities may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted file. Refer to the Affected Products section for a complete list of affected software.
The vulnerability of NI products is identified as CVE-2024-12740. This third-party library has now been replaced. See Mitigation Guidance for information on mitigating affected products.
NI strongly recommends upgrading the affected software to mitigate these vulnerabilities. If an upgrade is not possible, users can also mitigate these issues by installing Vision Common Resources 2025 Q1 or later from NI Package Manager.
Refer to the Affected Products section for information on each of the affected products.
Product Version | Mitigation |
---|---|
Vision Development Module 2024 Q1 and prior | Upgrade to Vision Development Module 2025 Q1 or later from NI Package Manager or Software Downloads |
FlexRIO 2024 Q4 and prior | Upgrade to FlexRIO 2025 Q1 or later from NI Package Manager or Software Downloads |
Vision Acquisition Software 2023 Q1 and prior Note: VAS includes NI-IMAQ, NI-IMAQdx, and NI-IMAQ I/O drivers | Upgrade to Vision Acquisition Software 2025 Q1 or later from NI Package Manager or Software Downloads |
NI-IMAQdx 2023 Q1 and prior | Upgrade to NI-IMAQdx 2025 Q1 or later from NI Package Manager |
Vision Builder for Automated Inspection (VBAI) 2023 Q3 and prior | Install Vision Common Resources 2025 Q1 or later from NI Package Manager |
Data Record AD 2.0 and prior | |
FRC Game Tools 2025 and prior |
CVE-2024-12740 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank kimiya working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.