CVE-2024-6793

Deserialization of Untrusted Data in NI VeriStand DataLogging Server

CVSS 9.8 CRITICALEPSS 1.2%CWE-502

In short

NI VeriStand DataLogging Server processes untrusted data without proper validation, allowing attackers to send malicious messages that execute arbitrary code on the server remotely.

Technical detail

A deserialization vulnerability in NI VeriStand DataLogging Server (2024 Q2 and prior) allows unauthenticated remote code execution via specially crafted serialized objects sent over the network. The vulnerability stems from CWE-502 (insecure deserialization) where user-supplied input is deserialized without validation, enabling arbitrary command execution in the server's context.

Summary generated and translated by AI from the official description.

A deserialization of untrusted data vulnerability exists in NI VeriStand DataLogging Server that may result in remote code execution. Successful exploitation requires an attacker to send a specially crafted message. These vulnerabilities affect NI VeriStand 2024 Q2 and prior versions.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

NI · VeriStand

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/deserialization-of-untrusted-data-vulnerabilities-in-ni-veristand.html