The NI VeriStand Gateway is missing authorization checks when an actor attempts to access Project resources. These missing checks may result in remote code execution. This affects NI VeriStand 2024 Q2 and prior versions.
The NI VeriStand Gateway component skips authorization verification (CWE-862 — Missing Authorization) when attempting to access project resources. An unauthenticated network attacker can send specially crafted requests to the Gateway, gaining access to protected project resources. The absence of these authorization controls can be directly exploited to execute code remotely on the target system.
An attacker can remotely execute arbitrary code on a system running NI VeriStand Gateway without requiring any permissions, leading to complete system takeover and loss of confidentiality, integrity, and availability of data.
Apply patches available from the vendor according to references. Detailed information about available updates can be found on the NI support page: https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/missing-authorization-checks-in-ni-veristand-gateway.html
NI VeriStand 2024 Q2 and all earlier versions
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HNi Veristand
APPNi2024≤ 2024
Related vulnerabilities
RCE przez niebezpieczną deserializację w NI VeriStand DataLogging Server
RCE przez deserializację danych w NI VeriStand Waveform Streaming Server
A directory path traversal vulnerability exists when loading a vsmodel file in NI VeriStand that may result in...
The NI VeriStand Gateway is missing authorization checks when an actor attempts to access File Transfer resour...
An incorrect permission assignment in the TopoGrafix DataPlugin for GPX could result in information disclosure...