NI FlexLogger usiReg URI File Parsing Directory Traversal Remote Code Execution Vulnerability

Vulnerability

The vulnerability resides in the usiReg component of NI FlexLogger during the parsing of URI files. The software fails to properly validate user-supplied paths before using them in file operations, resulting in a directory traversal condition. This allows an attacker to write arbitrary files to the system. The affected versions of NI FlexLogger have not been explicitly disclosed, but all versions prior to a potential fix are considered vulnerable [1].

Exploitation

To exploit this vulnerability, an attacker must convince a user to either visit a malicious webpage or open a specially crafted file. No authentication is required, but user interaction is necessary. The attacker can embed a directory traversal sequence in the URI file path to write files outside the intended directory. Once the file is opened, the usiReg component processes the malicious URI and performs file operations with the traversed path [1].

Impact

Successful exploitation allows an attacker to create arbitrary files on the target system. By writing a malicious file (e.g., a DLL or script) to a startup location, the attacker can achieve remote code execution in the context of the current user. This could lead to full compromise of the user's data and system integrity [1].

Mitigation

As of the publication of the ZDI advisory (March 17, 2025), no official patch has been released by NI. Users are advised to exercise caution when opening URI files from untrusted sources and to apply security updates as soon as they become available. This vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].