CVE-2025-12097 identifies a relative path traversal vulnerability (CWE-23) in the NI System Web Server component integrated with NI LabVIEW, specifically affecting version 9.0.0 and earlier. The vulnerability allows an unauthenticated remote attacker to craft malicious HTTP requests that manipulate file path parameters, bypassing intended directory restrictions. This enables the attacker to read arbitrary files on the server's filesystem, potentially exposing sensitive configuration files, credentials, or intellectual property. The flaw originates from insufficient validation and sanitization of user-supplied input in the web server's file path handling logic. The vulnerability was present in NI System Web Server versions released before 2013 and has been addressed in subsequent updates. The CVSS 3.1 base score of 7.5 reflects the network attack vector, low attack complexity, no privileges or user interaction required, and a high impact on confidentiality without affecting integrity or availability. While no public exploits have been reported, the vulnerability poses a significant risk due to the sensitive nature of files accessible and the ease of exploitation. NI LabVIEW is widely used in industrial automation, test, and measurement environments, making this vulnerability particularly relevant for organizations relying on legacy systems. The vulnerability's disclosure in late 2025 highlights the importance of maintaining updated software versions and monitoring legacy infrastructure for residual risks.

The primary impact of CVE-2025-12097 is unauthorized disclosure of sensitive information due to arbitrary file read capabilities. For European organizations, especially those in industrial automation, manufacturing, and critical infrastructure sectors that utilize NI LabVIEW and its System Web Server, this could lead to exposure of proprietary data, system configurations, and credentials. Such information leakage can facilitate further attacks, including targeted intrusions, intellectual property theft, and operational disruptions. Since the vulnerability does not affect integrity or availability directly, the immediate operational impact may be limited; however, the confidentiality breach can have cascading effects on organizational security posture. The ease of exploitation without authentication or user interaction increases the risk, particularly in environments where legacy LabVIEW systems remain exposed to untrusted networks. This vulnerability could also undermine compliance with European data protection regulations if sensitive personal or operational data is exposed. The lack of known exploits in the wild reduces immediate threat levels but does not eliminate the risk, especially if attackers develop proof-of-concept or weaponized exploits.

To mitigate CVE-2025-12097, European organizations should prioritize upgrading NI LabVIEW and the embedded NI System Web Server to versions released after 2013 where the vulnerability is fixed. If upgrading is not immediately feasible, organizations should isolate affected systems from external and untrusted networks using network segmentation and firewall rules to restrict access to the NI System Web Server. Implement strict access controls and monitor network traffic for anomalous requests targeting the web server. Employ intrusion detection or prevention systems (IDS/IPS) with signatures or heuristics capable of detecting path traversal attempts. Conduct thorough audits of legacy LabVIEW deployments to identify vulnerable versions and remove or replace unsupported instances. Additionally, review and harden file system permissions to minimize the impact of arbitrary file reads. Regularly update and patch all related software components and maintain an inventory of industrial control systems to ensure timely vulnerability management. Finally, raise awareness among operational technology (OT) and IT teams about the risks of legacy vulnerabilities and the importance of defense-in-depth strategies.