Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
AnalysisAI
Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers to inject and execute arbitrary OS commands through the Console WebUI. The flaw, identified by Nozomi Networks Labs, carries a CVSS 4.0 score of 9.3 and represents a critical risk to industrial unidirectional gateway deployments. No public exploit identified at time of analysis, and EPSS is 1.02% (78th percentile), suggesting elevated but not yet widespread exploitation interest.
Technical ContextAI
The vulnerability is a CWE-78 OS Command Injection in the Console WebUI component of the Waterfall WF-500, a unidirectional security gateway product widely deployed in industrial control system (ICS) and operational technology (OT) environments to enforce one-way data flow between trusted and untrusted networks. The CPE identifier cpe:2.3:a:waterfall:wf-500 indicates a single affected application surface - the web-based management console - where user-controllable input is passed unsanitized into an underlying shell or system command invocation. Because WF-500 devices typically sit at the IT/OT boundary, command execution on the device undermines the very network segmentation guarantee the product is sold to provide.
RemediationAI
No vendor-released patch identified at time of analysis in the provided data - operators should consult Waterfall Security Solutions directly and monitor the Nozomi advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41274 and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-41274 for an updated firmware build superseding 7.9.1.0 R2502171040. Until a fixed version is available, restrict network access to the Console WebUI to a dedicated, tightly controlled management VLAN reachable only from a hardened jump host (trade-off: complicates legitimate administration and may break existing remote-support workflows), place an authenticating reverse proxy or VPN in front of the management interface to remove unauthenticated reachability (trade-off: adds an additional component to maintain and does not patch the underlying injection), and enable detailed logging on the WebUI and any upstream firewall to detect anomalous command-shaped parameters in HTTP requests. Avoid exposing the management interface to the corporate IT network or the internet under any circumstances.
Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated
Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021
Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac
Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta
Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al
OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209994
GHSA-594v-jprj-pjx7