Path traversal in NI FlexLogger
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2025-2449 |
| CWE-ID | CWE-22 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
FlexLogger Other software / Other software solutions |
| Vendor | National Instruments |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Path traversal
EUVDB-ID: #VU105801
Risk: High
CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-2449
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within the parsing of URI files by the usiReg component. A remote attacker can trick a victim to open a specially crafted file and create arbitrary files on the system, leading to arbitrary code execution.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsFlexLogger: All versions
CPE2.3 External linkshttps://www.zerodayinitiative.com/advisories/ZDI-25-146/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
