CVE-2025-12097 identifies a relative path traversal vulnerability (CWE-23) in the NI System Web Server component embedded within NI LabVIEW version 9.0.0 and prior. This vulnerability allows an unauthenticated remote attacker to craft HTTP requests that manipulate file path parameters, bypassing intended directory restrictions. By exploiting this, the attacker can read arbitrary files on the affected system, leading to potential exposure of sensitive configuration files, credentials, or intellectual property. The vulnerability impacts confidentiality but does not affect integrity or availability. The flaw was introduced in versions up to 2012 and was remediated in 2013, indicating that only legacy systems remain vulnerable. The CVSS 3.1 base score is 7.5 (high), reflecting network attack vector, low complexity, no privileges required, and no user interaction. No public exploits have been reported yet, but the ease of exploitation and potential information disclosure make it a significant risk. The NI System Web Server is often used in industrial and engineering environments for remote system management and data acquisition, increasing the potential impact of this vulnerability.

For European organizations, especially those in industrial automation, manufacturing, and engineering sectors relying on NI LabVIEW for system control and data acquisition, this vulnerability poses a serious risk of sensitive information leakage. Disclosure of configuration files or credentials could facilitate further attacks, including unauthorized system access or intellectual property theft. Since the vulnerability allows reading arbitrary files without authentication, attackers can gain insights into network architecture or proprietary processes. This can disrupt compliance with data protection regulations such as GDPR if personal or sensitive data is exposed. The impact is heightened in critical infrastructure sectors where NI LabVIEW is deployed, potentially affecting operational continuity and competitive advantage.

Organizations should immediately identify any NI LabVIEW installations running version 9.0.0 or earlier and assess exposure of the NI System Web Server to untrusted networks. The primary mitigation is to upgrade to a patched version released after 2013 that addresses this vulnerability. If upgrading is not immediately feasible, network-level controls such as firewall rules should restrict access to the NI System Web Server to trusted internal hosts only. Employ network segmentation to isolate vulnerable systems from the internet and untrusted networks. Regularly audit and monitor web server logs for suspicious requests indicative of path traversal attempts. Additionally, implement strict file system permissions to limit the web server's access to sensitive files. Finally, maintain an inventory of legacy systems and plan for their timely replacement or patching to reduce long-term risk.