Cyber Posture

CVE-2025-2449

High

Published: 18 March 2025

Published
18 March 2025
Modified
18 August 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.1975 95.5th percentile
Risk Priority 29 60% EPSS · 20% KEV · 20% CVSS

Description

An adversary may rely upon a user opening a malicious file in order to gain execution.

Security Summary

CVE-2025-2449 is a directory traversal vulnerability in the usiReg component of NI FlexLogger that enables remote code execution. The issue stems from insufficient validation of user-supplied paths during URI file parsing, allowing attackers to create arbitrary files on affected installations. Published on 2025-03-18, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps to CWE-22; it was previously tracked as ZDI-CAN-21805.

Remote attackers without privileges can exploit this vulnerability by luring a target user into visiting a malicious web page or opening a malicious file. User interaction is required, after which the attacker can leverage the path traversal to write files and execute arbitrary code in the context of the current user, potentially compromising confidentiality, integrity, and availability.

The Zero Day Initiative advisory (ZDI-25-146), available at https://www.zerodayinitiative.com/advisories/ZDI-25-146/, provides further details on the vulnerability.

Details

CWE(s)
CWE-22

Affected Products

ni
flexlogger
2024

MITRE ATT&CK Enterprise Techniques

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

Client-side RCE vulnerability in desktop application triggered by user opening malicious file or visiting malicious link, directly enabling T1203 exploitation for client execution and T1204 user execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References