There is an improper input validation in NI Configuration Manager versions prior to 22.5 that may allow a privileged user to potentially enable escalation of privilege via local access. This vulnerability is identified as CVE-2022-35415.
NI Configuration Manager is installed with many NI drivers and software products. This vulnerability applies to Windows systems only. Refer to the Mitigation Guidance section for identifying the version of NI Configuration Manager installed.
NI strongly recommends upgrading the affected software to fix against this vulnerability.
To determine the version of NI Configuration Manager installed:
If the version is prior to 22.5.0f66, refer to the Affected Products table below for what software to download and install to upgrade the affected software.
Product Version | Mitigation |
|---|---|
NI Configuration Manager versions prior to 22.5.0* | Install NI Measurement & Automation Explorer using System Configuration 2022 Q3 or later |
CVE-2022-35415 – 7.9 - CVSS:3.1 AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
NI would like to thank Michael Kenney (@bzyo_) for reporting this issue and working with us on coordinated disclosure.