Critical Code Execution Flaw Patched in NI LabVIEW

Executive Summary

A critical remote code execution (RCE) vulnerability in NI LabVIEW, tracked as CVE-2026-32861, allows attackers to execute arbitrary code on a target system by convincing a user to open a maliciously crafted LVCLASS file. The flaw, discovered and disclosed by Trend Micro's Zero Day Initiative (ZDI), carries a CVSS v3.1 base score of 7.8 (High). Successful exploitation could grant an attacker full control over the affected workstation, posing a significant risk to industrial, research, and academic environments where LabVIEW is widely used for test, measurement, and control systems.

Technical Analysis

The vulnerability resides in the parsing logic for LabVIEW class files (.lvclass). According to the ZDI advisory (ZDI-26-291), the specific flaw is a memory corruption issue that occurs when the application processes a specially crafted file. The corruption is due to a lack of proper validation of user-supplied data, which can lead to writing beyond the bounds of an allocated buffer.

This out-of-bounds write condition can be exploited to corrupt memory in a way that allows an attacker to execute code in the context of the current user. The vulnerability does not require authentication or elevated privileges for exploitation; the only required user interaction is opening the malicious file, which could be delivered via email, a compromised website, or a network share. The ZDI advisory notes that the bug was reported to NI by ZDI on 2025-11-19 and patched by the vendor in a subsequent update.

Tactics, Techniques & Procedures

The likely exploitation chain follows standard patterns for client-side attacks. An adversary would employ T1204.002: User Execution - Malicious File, relying on social engineering to persuade a target to open the weaponized LVCLASS file. Upon successful exploitation, the technique would shift to T1059: Command and Scripting Interpreter to execute payloads and establish persistence. The initial access could be part of a broader campaign targeting engineering and industrial control system (ICS) environments.

Threat Actor Context

There is no public evidence of active exploitation of CVE-2026-32861 in the wild at the time of disclosure. However, the nature of the vulnerability—a client-side RCE in a widely deployed engineering application—makes it an attractive target for advanced persistent threat (APT) groups focused on industrial espionage and supply chain compromise. Historically, similar flaws in engineering software have been leveraged by groups like TEMP.Veles (tracked by Mandiant) and other state-aligned actors targeting critical infrastructure and manufacturing sectors.

Mitigations & Recommendations

The primary mitigation is to apply the security update provided by National Instruments. Users and administrators should upgrade to a version of LabVIEW that includes the fix for CVE-2026-32861. NI's security advisory, which details affected versions and patches, should be consulted for specific version guidance.

Organizations should implement defensive measures to complement patching:

• Application Control: Use policies to restrict the execution of LabVIEW to trusted, necessary users and systems, particularly on engineering workstations connected to operational technology (OT) networks.
• User Training: Educate engineers and technical staff on the risks of opening unsolicited or unexpected project files, even from seemingly trusted sources.
• Network Segmentation: Ensure strict segmentation between engineering design environments (where LabVIEW is commonly used) and production OT networks to limit lateral movement potential.
• Monitoring: Deploy endpoint detection and response (EDR) tools on engineering workstations and monitor for anomalous process behavior originating from LabVIEW.