Dependency on Vulnerable Third-Party Component exposes Vulnerabilities in NI Vision Software

Overview

NI’s vision related software uses a third-party library for image processing that exposes several vulnerabilities.  These vulnerabilities may result in arbitrary code execution.  Successful exploitation requires an attacker to get a user to open a specially crafted file.  Refer to the Affected Products section for a complete list of affected software.    

 

The vulnerability of NI products is identified as CVE-2024-12740.  This third-party library has now been replaced.  See Mitigation Guidance for information on mitigating affected products.

Contents

Mitigation Guidance

NI strongly recommends upgrading the affected software to mitigate these vulnerabilities.  If an upgrade is not possible, users can also mitigate these issues by installing Vision Common Resources 2025 Q1 or later from NI Package Manager.  

Refer to the Affected Products section for information on each of the affected products.  

Affected Products

Product VersionMitigation
Vision Development Module 2024 Q1 and priorUpgrade to Vision Development Module 2025 Q1 or later from NI Package Manager or Software Downloads 
FlexRIO 2024 Q4 and priorUpgrade to FlexRIO 2025 Q1 or later from NI Package Manager or Software Downloads
Vision Acquisition Software 2023 Q1 and prior

Note: VAS includes NI-IMAQ, NI-IMAQdx, and NI-IMAQ I/O drivers
Upgrade to Vision Acquisition Software 2025 Q1 or later from NI Package Manager or Software Downloads
NI-IMAQdx 2023 Q1 and priorUpgrade to NI-IMAQdx 2025 Q1 or later from NI Package Manager
Vision Builder for Automated Inspection (VBAI) 2023 Q3 and priorInstall Vision Common Resources 2025 Q1 or later from NI Package Manager
Data Record AD 2.0 and prior
FRC Game Tools 2025 and prior
 

CVSS Score

CVE-2024-12740 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Further Information

At NI, we view the security of our products as an important part of our commitment to our customers.  Go to ni.com/security to stay informed and act upon security alerts and issues.

Acknowledgements

NI would like to thank kimiya working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.

Additional Resources

Was this information helpful?

Yes

No