Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to the TX Host to execute code on the RX Host.
AnalysisAI
Out-of-bounds read in the Waterfall WF-500 RX Host (firmware 7.10.0.0 R2601141040) enables an attacker who already controls the TX Host to execute code on the receiving (RX) side, bypassing the unidirectional security guarantee the data diode is designed to enforce. Discovered by Nozomi Networks Labs with no public exploit identified at time of analysis and an EPSS score of 0.02%, the issue is significant because it undermines the OT/IT segmentation use case the product exists to provide. The vulnerability is not listed in CISA KEV and there is no evidence of active exploitation.
Technical ContextAI
The Waterfall WF-500 is a hardware-enforced unidirectional security gateway (data diode) widely deployed to bridge OT/ICS networks to IT networks while preventing return traffic. It is implemented as paired TX (transmit) and RX (receive) hosts, where the TX host sends data optically to the RX host. CWE-125 (Out-of-bounds Read) on the RX Host indicates that the RX-side parsing logic for traffic delivered from the TX side reads beyond an allocated buffer boundary, and per the Nozomi advisory this read condition is escalated into code execution on the RX Host. CPE cpe:2.3:a:waterfall:wf-500 confirms the affected product, and the root cause class typically stems from missing length validation on attacker-controlled fields in protocol or frame parsers.
RemediationAI
No vendor-released patch identified at time of analysis from the supplied references; operators should contact Waterfall Security Solutions directly and monitor the Nozomi Networks Labs advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41278 and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-41278 for an updated firmware release superseding 7.10.0.0 R2601141040. Until a fix is available, treat the TX Host as a high-value asset: harden and isolate the TX Host's management plane, restrict administrative network access to it via jump host and MFA, and audit any IT-side systems that can reach the TX Host since TX compromise is the precondition for this attack (trade-off: tighter management-plane restrictions can complicate legitimate operator workflows). Increase monitoring of the data flows traversing the diode and of RX Host process and integrity state to detect anomalous behavior consistent with code execution on the RX side; this is detective rather than preventive, so plan for rapid firmware rollout once vendor patches ship.
Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated
Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021
Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers
Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac
Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta
Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209998
GHSA-68g4-7798-227f