Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host.
AnalysisAI
Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) allows remote attackers with high privileges to execute arbitrary operating system commands on the underlying host. The flaw was identified by Nozomi Networks Labs and carries a CVSSv4 score of 8.6, but no public exploit identified at time of analysis and EPSS sits at 0.70% (72th percentile), reflecting limited expected exploitation activity against this niche OT/industrial product.
Technical ContextAI
The Waterfall WF-500 is a unidirectional security gateway (data diode) used in industrial and operational technology environments to enforce one-way data flow between segmented networks. The affected component is the Administration WebUI on the TX (transmit) Host, identified by CPE cpe:2.3:a:waterfall:wf-500. CWE-78 (Improper Neutralization of Special Elements used in an OS Command) indicates that user-controlled input from the management interface is concatenated into shell commands without sufficient sanitization or use of parameterized execution APIs, allowing shell metacharacters to break out of the intended command context and execute attacker-supplied OS commands under the privileges of the WebUI process.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data; operators should consult the Nozomi Networks Labs advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41266 and contact Waterfall Security Solutions directly for a fixed firmware build superseding 7.9.1.0 R2502171040. Until a patched release is confirmed, restrict network access to the WF-500 TX Host Administration WebUI to a dedicated management VLAN or jump host (this is standard OT hygiene and should have minimal side effects), enforce strong unique credentials and MFA on administrative accounts to raise the bar for the required PR:H precondition, rotate any administrator credentials that may have been exposed, and enable monitoring/logging of WebUI command execution and outbound connections from the TX Host so post-exploitation activity (e.g., unexpected shell processes or network beacons) is detected. Avoid exposing the management interface to general IT networks or the internet under any circumstances.
Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated
Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021
Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers
Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac
Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta
Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al
OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209986
GHSA-865q-qqwj-gwm3