Skip to main content

Waterfall WF-500 CVE-2025-41281

| EUVDEUVD-2025-210001 HIGH
OS Command Injection (CWE-78)
2026-05-29 Nozomi GHSA-xrgm-w999-2hpq
7.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 29, 2026 - 14:23 vuln.today
CVSS changed
May 29, 2026 - 12:22 NVD
7.5 (HIGH)
CVE Published
May 29, 2026 - 11:00 nvd
HIGH 7.5
CVE Published
May 29, 2026 - 11:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured.

AnalysisAI

OS command injection in Waterfall WF-500 RX Host version 7.9.1.0 R2502171040 allows an attacker who already controls the TX Host to execute arbitrary commands on the RX Host when a MySQL connector is configured on the unidirectional gateway. The flaw was discovered by Nozomi Networks Labs and there is no public exploit identified at time of analysis; EPSS is low at 0.18% (40th percentile).

Technical ContextAI

Waterfall WF-500 is a unidirectional security gateway (data diode) used in OT/ICS environments to enforce one-way data transfer from a higher-trust 'TX' network to a lower-trust 'RX' network. The vulnerability is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning input crossing the diode into the RX Host's MySQL connector logic is concatenated into a shell invocation without proper sanitization. CPE cpe:2.3:a:waterfall:wf-500 identifies the affected product family, and the MySQL connector is the specific feature module that parses attacker-influenced data and reaches the vulnerable command execution path.

RemediationAI

No vendor-released patch identified at time of analysis in the provided data; defenders should consult Waterfall Security directly and the Nozomi Labs advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41281 plus the NVD record at https://nvd.nist.gov/vuln/detail/CVE-2025-41281 for fix availability. As compensating controls, remove or disable the MySQL connector on WF-500 RX Host where it is not strictly required, which eliminates the vulnerable code path at the cost of losing MySQL replication across the diode. Tightly restrict and monitor administrative and network access to the TX Host so the prerequisite foothold cannot be achieved, including hardening credentials, isolating management interfaces, and alerting on anomalous TX-side process execution or outbound MySQL traffic. If the MySQL connector must remain enabled, constrain the source MySQL servers feeding it to a known allowlist and inspect logs on the RX Host for unexpected command execution.

More in Wf 500

View all
CVE-2025-41277 CRITICAL
9.3 May 29

Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41276 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated

CVE-2025-41275 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021

CVE-2025-41274 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers

CVE-2025-41272 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac

CVE-2025-41270 CRITICAL
9.3 May 29

Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41269 CRITICAL
9.3 May 29

Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ

CVE-2025-41273 CRITICAL
9.3 May 29

Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta

CVE-2025-41268 HIGH
8.8 May 29

Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41271 HIGH
8.7 May 29

Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41279 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al

CVE-2025-41266 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al

Share

CVE-2025-41281 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy