CVE-2024-12741

Published Dec 18, 2024

Last updated 4 months ago

DAQExpress

Overview

AI description

Generated using AI and has not been reviewed by Intruder. May contain errors.

CVE-2024-12741 is a vulnerability found in National Instruments' DAQExpress software, specifically versions up to 5.1 on Windows. This flaw allows remote code execution by exploiting how the software handles serialized data. An attacker could gain control of a user's system if the user opens a specially crafted project file. Notably, DAQExpress is an end-of-life product and will not receive official patches. The vulnerability stems from deserialization of untrusted data, categorized as CWE-502. Exploitation could compromise system confidentiality, integrity, and availability. While the software will not receive vendor updates, mitigation strategies include avoiding untrusted files, upgrading to alternative software, using security software, and educating users about potential threats.

Description: A deserialization of untrusted data vulnerability exists in NI DAQExpress that may result in remote code execution. Successful exploitation requires an attacker to get a user to open a specially crafted project file. This vulnerability affects DAQExpress 5.1 and prior versions. Please note that DAQExpress is an EOL product and will not receive any updates.
Source: security@ni.com
NVD status: Awaiting Analysis
CNA Tags: unsupported-when-assigned

Risk scores

CVSS 4.0

Type: Secondary
Base score: 8.4
Impact score: -
Exploitability score: -
Vector string: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity: HIGH

CVSS 3.1

Type: Secondary
Base score: 7.8
Impact score: 5.9
Exploitability score: 1.8
Vector string: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

security@ni.com: CWE-502

Hype score: Not currently trending