Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
AnalysisAI
Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated network attackers to run arbitrary operating system commands through the Console WebUI. The flaw, identified by Nozomi Networks Labs and tracked as CVE-2025-41277, carries a CVSS 4.0 base score of 9.3 and represents a critical risk for industrial environments relying on Waterfall's data diode gateways. No public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile) indicating elevated but not yet widespread exploitation activity.
Technical ContextAI
The Waterfall WF-500 is a unidirectional security gateway (data diode) used in OT/ICS environments to enforce one-way data flow between segmented networks such as production control systems and corporate IT. The vulnerable component is the Console WebUI, the management interface exposed on the TX (transmit) and RX (receive) hosts. The root cause is CWE-78 (OS Command Injection), meaning user-supplied input reaching a shell or process-execution API is not properly neutralized of metacharacters such as ;, |, &, or backticks, allowing injected commands to be executed by the underlying operating system. The affected CPE is cpe:2.3:a:waterfall:wf-500 covering all versions through 7.9.1.0 R2502171040.
RemediationAI
No vendor-released patch identified at time of analysis in the provided data; operators should contact Waterfall Security Solutions directly and consult the Nozomi advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41277 along with the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-41277 for the latest fix availability. As compensating controls, restrict access to the Console WebUI to a dedicated management VLAN reachable only from a hardened jump host, block TCP access to the WebUI port from production OT networks and any IT segments via firewall ACLs, and monitor authentication and HTTP request logs for anomalous parameters containing shell metacharacters; the trade-off is that locking down the WebUI may complicate routine operational tasks performed by ICS engineers and require an out-of-band path for diagnostics. If the WebUI is not required for daily operations, disable the service entirely until a patched firmware is released.
Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated
Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021
Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers
Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac
Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta
Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al
OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209997
GHSA-8j22-33w4-9cm2