Platform
other
Component
ni-system-web-server
Fixed in
12.0.1
CVE-2025-12097 describes a Path Traversal vulnerability discovered in the NI System Web Server. Successful exploitation allows an attacker to read arbitrary files on the system, potentially leading to information disclosure. This vulnerability impacts versions 9.0.0 through 12.* of the web server and was addressed in a fix released in 2013.
The primary impact of CVE-2025-12097 is unauthorized access to sensitive files on the server hosting the NI System Web Server. An attacker could leverage this vulnerability to retrieve configuration files, source code, or other data that could be used to further compromise the system. Depending on the data exposed, this could lead to data breaches, privilege escalation, or even complete system takeover. The ability to read arbitrary files makes this a significant security risk, particularly if the server handles sensitive information or is part of a critical infrastructure.
CVE-2025-12097 was publicly disclosed in December 2025. While no public proof-of-concept (PoC) code has been identified, the relative simplicity of path traversal vulnerabilities suggests a moderate risk of exploitation. The vulnerability's age and the potential for automated scanning tools to identify and exploit it contribute to this risk. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-12097 is to upgrade to a version of the NI System Web Server that includes the fix released in 2013. Given the age of the vulnerability, upgrading may require careful planning and testing to ensure compatibility with existing systems. If an immediate upgrade is not possible, consider implementing strict access controls and file system permissions to limit the potential impact of a successful attack. While a WAF might offer some protection, it's unlikely to be a complete solution for path traversal vulnerabilities. Verify the upgrade by attempting to access files outside of the intended web server directory; access should be denied.
Actualice el NI System Web Server a una versión posterior a 2012. Esto solucionará la vulnerabilidad de path traversal. Consulte la documentación de NI para obtener instrucciones específicas sobre cómo actualizar el software.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12097 is a vulnerability allowing attackers to read arbitrary files on a server running NI System Web Server, potentially exposing sensitive data.
You are affected if you are running NI System Web Server versions 9.0.0 through 12.*. Upgrade to a version fixed in 2013 to mitigate the risk.
Upgrade to a version of NI System Web Server that includes the fix released in 2013. Plan and test the upgrade carefully to ensure compatibility.
While no active exploitation has been confirmed, the vulnerability's age and simplicity suggest a potential risk of exploitation.
Refer to NI's official security advisories and documentation for specific details and guidance related to CVE-2025-12097.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.