Skip to main content

Waterfall WF-500 EUVDEUVD-2025-209991

| CVE-2025-41271 HIGH
Relative Path Traversal (CWE-23)
2026-05-29 Nozomi GHSA-8jh5-3w8c-rv2j
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 14:26 vuln.today
CVSS changed
May 29, 2026 - 12:22 NVD
8.7 (HIGH)
CVE Published
May 29, 2026 - 10:51 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to read arbitrary files from the device.

AnalysisAI

Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to retrieve sensitive files from the device through a path traversal flaw in the Console WebUI. Discovered and disclosed by Nozomi Networks Labs, the issue scores CVSS 4.0 8.7 with network attack vector and no privileges required, though no public exploit identified at time of analysis and the device is not currently listed in CISA KEV.

Technical ContextAI

Waterfall WF-500 is a unidirectional security gateway appliance (TX/RX host pair) used predominantly in OT/ICS environments to enforce one-way data flow between trust zones such as control networks and corporate IT. The vulnerability resides in the Console WebUI management interface and is classified as CWE-23 (Relative Path Traversal), meaning user-supplied input containing relative path segments such as '../' is incorporated into file system operations without adequate sanitization or canonicalization, permitting access outside the intended web root. Because the WebUI is the administrative front-end of a security-critical boundary device (CPE cpe:2.3:a:waterfall:wf-500), arbitrary file disclosure can expose configuration files, credentials, cryptographic material, and logs that describe the segmented network the gateway protects.

RemediationAI

No vendor-released patch identified at time of analysis from the provided references; operators should contact Waterfall Security Solutions directly and consult the Nozomi Networks advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41271 for the latest fix guidance and any post-7.9.1.0 R2502171040 release. Until a fixed firmware is available, restrict reachability to the Console WebUI by placing the management interface on a dedicated out-of-band management VLAN with ACLs that permit only specific administrator workstations or jump hosts (trade-off: legitimate administrators must use the jump host, slightly increasing operational friction), and consider fronting the WebUI with a reverse proxy or WAF rule that rejects requests whose paths contain '../', '%2e%2e', or other traversal encodings (trade-off: may break legitimate URLs that contain encoded dots). Rotate any credentials, API keys, or certificates stored on the device after patching, since arbitrary file read could have exposed them, and increase log review on the WebUI for anomalous GET requests with traversal sequences.

More in Wf 500

View all
CVE-2025-41277 CRITICAL
9.3 May 29

Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41276 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated

CVE-2025-41275 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021

CVE-2025-41274 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers

CVE-2025-41272 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac

CVE-2025-41270 CRITICAL
9.3 May 29

Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41269 CRITICAL
9.3 May 29

Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ

CVE-2025-41273 CRITICAL
9.3 May 29

Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta

CVE-2025-41268 HIGH
8.8 May 29

Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41279 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al

CVE-2025-41266 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al

CVE-2025-41265 HIGH
8.6 May 29

OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent

Share

EUVD-2025-209991 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy