Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
AnalysisAI
Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated network attackers to run arbitrary operating system commands via the Console WebUI. The flaw was disclosed by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3, but no public exploit identified at time of analysis and EPSS sits at 1.02% (78th percentile), indicating credible but not yet widespread exploitation pressure.
Technical ContextAI
The Waterfall WF-500 is a unidirectional security gateway (data diode) product family used in industrial and OT environments to enforce one-way data flow between segmented networks; the TX and RX Hosts are the transmit/receive endpoints managed through a web-based Console. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-controllable input reaches a shell or command interpreter inside the Console WebUI without proper sanitization or argument separation. Because the affected component is the management plane exposed over HTTP(S), injected metacharacters or argument-style payloads are executed in the context of the underlying operating system process running the WebUI on the device.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data; operators should consult Waterfall Security Solutions directly and monitor the Nozomi advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41269 and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-41269 for a fixed build superseding 7.9.1.0 R2502171040. As compensating controls until a fixed version is installed, restrict network access to the Console WebUI to a dedicated management VLAN or jump host using firewall ACLs so the management interface is unreachable from process/IT networks (trade-off: out-of-band administration only, no remote support from non-management subnets); place the WebUI behind a reverse proxy or VPN that enforces strong authentication and TLS client certificates (trade-off: added operational complexity and one more component to maintain); disable or block the Console WebUI service entirely on TX and RX Hosts where day-to-day administration can be performed via local console or CLI (trade-off: loss of GUI-based monitoring and configuration). Increase logging and alerting on the WebUI process for unusual child-process creation and outbound connections from the appliance, since CWE-78 exploitation typically spawns shell commands that are observable in OS-level audit logs.
Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated
Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021
Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers
Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac
Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta
Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al
OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209989
GHSA-5wvf-5xh4-3whx