There is a relative file path traversal vulnerability due to improper input validation in Digilent WaveForms that may result in arbitrary code execution. Successful exploitation requires an attacker to get a user to open a specially crafted .DWF3WORK file. This vulnerability affects Digilent WaveForms 3.24.3 and prior versions.
This vulnerability is identified as CVE-2025-10203.
Digilent strongly recommends upgrading the affected software to mitigate this vulnerability. In addition, Digilent strongly recommends users practice good cyber awareness and avoid opening DWF3WORK files from any untrusted sources.
CVE-2025-10203 – 7.8 - CVSS:3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2025-10203 – 8.5 - CVSS:4.0 AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
At NI, we view the security of our products as an important part of our commitment to our customers. Go to ni.com/security to stay informed and act upon security alerts and issues.
Digilent would like to thank kimiya working with Trend Micro Zero Day Initiative for reporting this issue and working with us on coordinated disclosure.
| Product Version | Mitigation |
|---|---|
| Digilent WaveForms 3.24.3 and prior | Upgrade to Digilent WaveForms 3.24.4 or later from here. |