Skip to main content

Waterfall WF-500 CVE-2025-41268

| EUVDEUVD-2025-209988 HIGH
Relative Path Traversal (CWE-23)
2026-05-29 Nozomi GHSA-9w3c-478w-64gj
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 14:27 vuln.today
CVSS changed
May 29, 2026 - 12:22 NVD
8.8 (HIGH)
CVE Published
May 29, 2026 - 10:49 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to delete arbitrary files on the Host machines.

AnalysisAI

Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to remove files on the host machine via a relative path traversal flaw in the Administration WebUI. The flaw was identified by Nozomi Networks Labs; no public exploit identified at time of analysis, and the EPSS score of 1.38% (81st percentile) indicates moderately elevated but not extreme exploitation likelihood. Because Waterfall WF-500 is a unidirectional security gateway deployed at OT/IT boundaries in industrial environments, file deletion can directly disrupt data diode operations.

Technical ContextAI

Waterfall WF-500 is a hardware-enforced unidirectional security gateway (data diode) used to enforce one-way data flow between OT and IT networks in critical infrastructure environments, with separate TX (transmit) and RX (receive) hosts. The vulnerability resides in the Administration WebUI, which exposes management functions over the network. CWE-23 (Relative Path Traversal) indicates that the WebUI accepts user-controlled input containing sequences such as '../' without proper canonicalization or restriction to an allowed base directory, allowing the file path to resolve outside the intended scope. The affected CPE is cpe:2.3:a:waterfall:wf-500:*:*:*:*:*:*:*:* and the EUVD catalogues versions up to and including 7.9.1.0 R2502171040.

RemediationAI

No vendor-released patch identified at time of analysis from the provided references; operators should consult Waterfall Security Solutions directly and reference the Nozomi advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41268 to obtain a fixed firmware build superseding 7.9.1.0 R2502171040. As compensating controls, restrict network reachability of the Administration WebUI to a dedicated management VLAN or jump host and block all other sources at the upstream firewall - this is consistent with vendor-recommended deployment of management planes for OT gateways and should have minimal operational impact since admin access is normally infrequent. Place the WebUI behind a reverse proxy or VPN that enforces authentication and request filtering for path traversal sequences (e.g., '../', encoded variants) if direct exposure cannot be eliminated, accepting the side effect that legitimate admin workflows may require an additional authentication step. Monitor for unexpected file deletions and WebUI HTTP requests containing traversal patterns until a patched build is deployed.

More in Wf 500

View all
CVE-2025-41277 CRITICAL
9.3 May 29

Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41276 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated

CVE-2025-41275 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021

CVE-2025-41274 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers

CVE-2025-41272 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac

CVE-2025-41270 CRITICAL
9.3 May 29

Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41269 CRITICAL
9.3 May 29

Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ

CVE-2025-41273 CRITICAL
9.3 May 29

Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta

CVE-2025-41271 HIGH
8.7 May 29

Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41279 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al

CVE-2025-41266 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al

CVE-2025-41265 HIGH
8.6 May 29

OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent

Share

CVE-2025-41268 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy