A deserialization of untrusted data vulnerability exists in common code used by FlexLogger and InstrumentStudio that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects NI FlexLogger 2024 Q1 and prior versions as well as NI InstrumentStudio 2024 Q1 and prior versions.
This vulnerability is identified as CVE-2024-4044.
NI strongly recommends upgrading the affected software to mitigate this vulnerability. Refer to the Affected Products section for information on upgrading these products.
CVE-2024-4044 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank kimiya working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.
| Product Version | Mitigation |
|---|---|
| NI FlexLogger 2024 Q1 and prior versions | Upgrade to NI FlexLogger 2024 Q2 or later from NI Package Manager or Software Downloads |
| NI InstrumentStudio 2024 Q1 and prior versions | Upgrade to NI InstrumentStudio 2024 Q2 or later from NI Package Manager or Software Downloads |