Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nozomi Networks Labs identified a CWE-288: Authentication Bypass Using an Alternate Path or Channel in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to bypass authentication of the Console web application and perform actions as an authenticated user.
AnalysisAI
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attackers to perform privileged actions through the Console WebUI via an alternate path or channel. Discovered by Nozomi Networks Labs, the flaw scores CVSS 9.3 (Critical) under v4.0 with network attack vector and no privileges required, though EPSS is low at 0.14% (34th percentile) and no public exploit identified at time of analysis. Given Waterfall's role in OT/ICS unidirectional gateway deployments, successful exploitation of the management console could enable adversaries to manipulate security-critical configurations.
Technical ContextAI
Waterfall WF-500 is a hardware data diode / unidirectional security gateway commonly deployed at IT/OT boundaries to enforce one-way data transfer between operational technology networks and corporate or external networks. The Console WebUI is the management plane used to configure and monitor the appliance. The root cause is CWE-288 (Authentication Bypass Using an Alternate Path or Channel), meaning the web application enforces authentication on its primary entry points but exposes a secondary route - such as an alternate URL, API endpoint, or protocol handler - that performs sensitive actions without re-validating the caller's identity. CPE coverage is cpe:2.3:a:waterfall:wf-500 for the affected appliance software.
RemediationAI
No vendor-released patch version is identified in the available input data at time of analysis; consult the Nozomi Labs advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41273 and the corresponding Waterfall vendor bulletin for the fixed build, and upgrade WF-500 TX and RX Hosts beyond 7.9.1.0 R2502171040 once available. Until a fix is applied, restrict network reachability of the Console WebUI to a dedicated management VLAN or jump host (trade-off: legitimate remote administration must be tunneled through that path), block inbound TCP to the management interface from any production, OT process, or untrusted network at the perimeter firewall, and monitor WebUI access logs for unauthenticated requests to non-standard paths or API endpoints that may indicate bypass attempts. Avoid exposing the management interface to the internet under any circumstances.
Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated
Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021
Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers
Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac
Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ
Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al
OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209993
GHSA-7gp3-r9h9-v4j9