Skip to main content

Waterfall WF-500 CVE-2025-41279

| EUVDEUVD-2025-209999 HIGH
OS Command Injection (CWE-78)
2026-05-29 Nozomi GHSA-mx9m-xgqf-hmqr
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 14:23 vuln.today
CVSS changed
May 29, 2026 - 12:22 NVD
8.6 (HIGH)
CVE Published
May 29, 2026 - 10:59 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 RX Host.

AnalysisAI

Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) allows attackers with high privileges to execute arbitrary operating system commands on the unidirectional gateway appliance. The flaw was discovered and reported by Nozomi Networks Labs, carries a CVSS 4.0 score of 8.6, and an EPSS of 0.70% (72nd percentile); no public exploit identified at time of analysis. Because WF-500 is deployed as a data-diode between IT and OT/ICS networks, code execution on the RX Host effectively compromises a critical security boundary.

Technical ContextAI

The WF-500 RX (receive) Host is the IT-side endpoint of Waterfall Security Solutions' unidirectional gateway, which uses hardware-enforced one-way transfer to bridge OT/ICS environments to IT networks while blocking inbound traffic. The vulnerability lives in the appliance's Administration WebUI, where user-supplied input is concatenated into an OS command without proper neutralization of shell metacharacters (CWE-78). When the WebUI passes the tainted string to a shell or system() call, attacker-controlled characters such as ';', '|', '`', or '$()' break out of the intended command and run arbitrary commands under whatever account the web service uses. CPE cpe:2.3:a:waterfall:wf-500 confirms the affected component, and the CVSS 4.0 vector AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H shows full confidentiality, integrity, and availability impact on the vulnerable system itself with no scope change to connected segments.

RemediationAI

Patch available per vendor advisory - consult Waterfall Security Solutions directly and the Nozomi Networks Labs advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41279 for the fixed firmware build and upgrade instructions, since a specific fixed version is not enumerated in the available data. Until upgrade, restrict reachability of the WF-500 Administration WebUI to a dedicated out-of-band management network and a small allowlist of jump hosts, which removes the network attack surface but complicates remote administration. Rotate WebUI administrator credentials and enforce unique strong passwords plus MFA where the appliance supports it, since exploitation requires high privileges (PR:H) and credential reuse or shared admin accounts directly enable the attack. Enable verbose audit logging on the WebUI and forward to a SIEM to detect anomalous admin sessions and command-injection payload patterns, accepting the additional log volume as a trade-off.

More in Wf 500

View all
CVE-2025-41277 CRITICAL
9.3 May 29

Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41276 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated

CVE-2025-41275 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021

CVE-2025-41274 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers

CVE-2025-41272 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac

CVE-2025-41270 CRITICAL
9.3 May 29

Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41269 CRITICAL
9.3 May 29

Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ

CVE-2025-41273 CRITICAL
9.3 May 29

Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta

CVE-2025-41268 HIGH
8.8 May 29

Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41271 HIGH
8.7 May 29

Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41266 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al

CVE-2025-41265 HIGH
8.6 May 29

OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent

Share

CVE-2025-41279 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy