CVE-2025-12097 identifies a relative path traversal vulnerability (CWE-23) in the NI System Web Server component bundled with NI LabVIEW version 9.0.0 and earlier. The vulnerability arises from insufficient validation of user-supplied input in HTTP requests, allowing attackers to manipulate file path parameters to access files outside the intended web server directory. By crafting specific requests, an attacker can traverse directories and read arbitrary files on the host system, potentially exposing sensitive configuration files, credentials, or proprietary data. The vulnerability affects versions released up to 2012 and was addressed in a patch released in 2013. The CVSS v3.1 base score is 7.5, reflecting high severity due to the ease of remote exploitation without authentication or user interaction, and the high confidentiality impact. The vulnerability does not impact system integrity or availability. No public exploits have been reported, but the risk remains for unpatched legacy systems. This vulnerability is particularly relevant for organizations relying on NI LabVIEW for industrial automation, test, and measurement applications, where sensitive operational data may be exposed. The NI System Web Server is typically used for remote monitoring and control, increasing the attack surface if exposed to untrusted networks.

The primary impact of CVE-2025-12097 is unauthorized disclosure of sensitive information due to arbitrary file read capabilities. Attackers can access configuration files, credentials, or proprietary data stored on the affected system, potentially facilitating further attacks such as privilege escalation or lateral movement. Organizations using vulnerable NI LabVIEW versions in critical infrastructure, manufacturing, or research environments risk exposure of intellectual property and operational data. Since the vulnerability does not affect integrity or availability, direct system disruption is unlikely. However, the confidentiality breach can lead to significant operational and reputational damage, regulatory non-compliance, and financial loss. The ease of exploitation without authentication or user interaction increases the threat level, especially if the NI System Web Server is accessible from untrusted networks or the internet. Legacy systems that have not been updated since 2013 remain vulnerable, posing ongoing risk.

1. Upgrade NI LabVIEW to a version released after 2013 that includes the patch for this vulnerability to eliminate the risk. 2. If upgrading is not immediately feasible, restrict network access to the NI System Web Server by implementing strict firewall rules to limit exposure only to trusted internal networks. 3. Employ network segmentation to isolate vulnerable systems from critical infrastructure and sensitive data repositories. 4. Monitor network traffic for suspicious HTTP requests that attempt directory traversal patterns (e.g., '../') targeting the NI System Web Server. 5. Disable or remove the NI System Web Server component if it is not required for operational purposes. 6. Conduct regular audits of systems running legacy NI LabVIEW versions to identify and remediate unpatched instances. 7. Implement intrusion detection/prevention systems (IDS/IPS) with signatures tuned to detect path traversal attempts. 8. Educate system administrators about the risks of legacy software and the importance of timely patching and network controls.