Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host.
AnalysisAI
OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authenticated remote attackers to execute arbitrary operating system commands on the underlying host. The flaw was disclosed by Nozomi Networks Labs and carries a CVSS 4.0 score of 8.6; no public exploit identified at time of analysis, and EPSS exploitation probability is modest at 0.70%.
Technical ContextAI
The Waterfall WF-500 is a TX Host appliance used in unidirectional security gateway deployments common to industrial control and operational technology environments, where data diodes enforce one-way transfers between OT and IT networks. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-supplied input reaching an Administration WebUI handler is concatenated into an operating system command without adequate sanitization or quoting, permitting shell metacharacters to break out of the intended argument context. Because the WebUI runs with elevated privileges to manage the host, injected commands inherit those privileges and execute directly against the appliance OS.
RemediationAI
No vendor-released patch identified at time of analysis from the provided sources; consult the Nozomi Networks Labs advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41265 and the NVD record at https://nvd.nist.gov/vuln/detail/CVE-2025-41265 for any fixed-version announcements from Waterfall Security Solutions, and contact the vendor directly for a hotfix or updated firmware. Until a fix is confirmed, restrict network reachability of the WF-500 Administration WebUI to a dedicated management VLAN or jump host (trade-off: legitimate administrators must access through the bastion), enforce strong, unique credentials and rotate any shared admin accounts, enable multi-factor authentication on the WebUI if supported, and audit administrative session logs for unexpected command activity. Because the precondition is PR:H, minimizing the number of accounts with WebUI administrative rights provides meaningful risk reduction at low operational cost.
Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated
Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021
Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers
Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac
Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta
Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209985
GHSA-qq7f-qfjw-fj9f