CVE-2025-12097

HIGH

NI System Web Server <2012 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-12097. PoCs published by matejsmycka.

AI-analyzed exploit summary This PoC demonstrates a directory traversal vulnerability in NI modification of Appweb server, allowing arbitrary file reads via a specially crafted URI path. The exploit leverages double URL encoding to bypass path sanitization and access files like `win.ini`.

Description

There is a relative path traversal vulnerability in the NI System Web Server that may result in information disclosure.  Successful exploitation requires an attacker to send a specially crafted request to the NI System Web Server, allowing the attacker to read arbitrary files.  This vulnerability existed in the NI System Web Server 2012 and prior versions.  It was fixed in 2013.

Exploits (1)

nomisec WORKING POC
by matejsmycka · poc
https://github.com/matejsmycka/PoC-CVE-2025-12097

This PoC demonstrates a directory traversal vulnerability in NI modification of Appweb server, allowing arbitrary file reads via a specially crafted URI path. The exploit leverages double URL encoding to bypass path sanitization and access files like `win.ini`.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: NI modification of Appweb server (Mbedthis-Appweb/2.5.0)
No auth needed
Prerequisites: Network access to the target server · Target running vulnerable Appweb server version
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 7.5
EPSS 0.0052
EPSS Percentile 39.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-23
Status published
Products (1)
NI/LabVIEW 9.0.0 - 12.*
Published Dec 04, 2025
Tracked Since Feb 18, 2026