Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
AnalysisAI
Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated network attackers to execute arbitrary operating system commands via the Console WebUI. The flaw was identified by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3, though there is no public exploit identified at time of analysis and EPSS sits at 1.02%, indicating elevated but not yet realized exploitation pressure.
Technical ContextAI
The Waterfall WF-500 is a unidirectional security gateway appliance (data diode) used in operational technology and industrial control system environments to enforce one-way data transfer between segmented networks, typically between OT and IT. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning input passed to the Console WebUI is concatenated into a shell command without proper sanitization or use of safe execution primitives such as parameterized exec calls. Per CPE cpe:2.3:a:waterfall:wf-500, the affected component is the WF-500 application layer (both TX sending and RX receiving hosts), making the management plane of the diode itself the attack surface rather than the data-flow channel.
RemediationAI
No vendor-released patch identified at time of analysis from the provided data; defenders should consult Waterfall Security Solutions directly and monitor the Nozomi advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41270 and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-41270 for a fixed build superseding 7.9.1.0 R2502171040. As compensating controls, restrict network reachability of the Console WebUI to a dedicated, hardened management VLAN or jump host so it is not accessible from general OT or IT networks (trade-off: legitimate administrators must use the bastion), block inbound TCP to the WebUI port from any untrusted segment at upstream firewalls (trade-off: remote diagnostics workflows may break), and enforce strict source-IP allowlists on the appliance management interface where supported. Augment with network-IDS signatures for command-injection patterns directed at the WF-500 WebUI and increase logging review on the management host until a patched firmware is installed.
Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated
Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021
Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers
Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac
Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta
Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al
OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209990
GHSA-2r2p-h7w3-fpw7