Skip to main content

Waterfall WF-500 EUVDEUVD-2025-209992

| CVE-2025-41272 CRITICAL
OS Command Injection (CWE-78)
2026-05-29 Nozomi GHSA-2cvv-gpr6-mr7q
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 14:26 vuln.today
CVSS changed
May 29, 2026 - 12:22 NVD
9.3 (CRITICAL)
CVE Published
May 29, 2026 - 10:52 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.

AnalysisAI

Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attackers reachable over the network to execute arbitrary operating system commands through the Console WebUI. The flaw was discovered by Nozomi Networks Labs and carries a CVSS 4.0 score of 9.3; no public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile) indicating moderate predicted exploitation interest.

Technical ContextAI

The Waterfall WF-500 is a unidirectional security gateway appliance commonly deployed in OT/ICS environments to enforce one-way data flow between trusted (TX) and untrusted (RX) network segments. The vulnerability resides in the Console WebUI management interface and is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-supplied input is concatenated into a shell command without sufficient sanitization, allowing shell metacharacters or command separators to break out of the intended command context. The affected CPE is cpe:2.3:a:waterfall:wf-500, identifying the appliance family that bridges IT and OT networks in critical infrastructure deployments.

RemediationAI

No vendor-released patched version is independently confirmed in the available data, so operators should consult the Nozomi Networks advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41272 and Waterfall Security for an updated firmware build beyond 7.9.1.0 R2502171040 and apply it as soon as it is released. Until a patched build is deployed, restrict network reachability to the Console WebUI to a dedicated management VLAN or jump host, block the WebUI port at perimeter and intra-segment firewalls so it is not reachable from the OT or general IT LAN, and require VPN or bastion-host access for any administrative session; the trade-off is reduced operational convenience for remote operators. Additionally enable network and host-based monitoring for anomalous shell-character payloads or unexpected outbound connections from the WF-500 management interface, recognizing that detection-only controls do not prevent exploitation if the WebUI remains reachable.

More in Wf 500

View all
CVE-2025-41277 CRITICAL
9.3 May 29

Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41276 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated

CVE-2025-41275 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021

CVE-2025-41274 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers

CVE-2025-41270 CRITICAL
9.3 May 29

Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41269 CRITICAL
9.3 May 29

Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ

CVE-2025-41273 CRITICAL
9.3 May 29

Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta

CVE-2025-41268 HIGH
8.8 May 29

Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41271 HIGH
8.7 May 29

Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41279 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al

CVE-2025-41266 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al

CVE-2025-41265 HIGH
8.6 May 29

OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent

Share

EUVD-2025-209992 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy