Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
AnalysisAI
Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R2502171040) allows attackers reachable on the management network to execute arbitrary operating system commands on the appliance. The flaw was reported by Nozomi Networks Labs, carries a CVSS 4.0 score of 9.3, and currently has no public exploit identified at time of analysis, with an EPSS score of 1.02% (78th percentile).
Technical ContextAI
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-supplied input handled by the Console WebUI is concatenated into a shell command without sufficient sanitization, allowing shell metacharacters to break out of the intended command context. The affected component is the management web interface of the Waterfall WF-500, a unidirectional security gateway (data diode) used in OT/ICS environments to enforce one-way data transfer between segmented networks; both the TX (transmit) and RX (receive) hosts running firmware 7.9.1.0 R2502171040 are impacted, per CPE cpe:2.3:a:waterfall:wf-500:*:*:*:*:*:*:*:*. Because the device is typically deployed at trust boundaries between IT and OT networks, code execution on the appliance directly undermines the security architecture it is meant to enforce.
RemediationAI
No vendor-released patch identified at time of analysis in the provided data, so operators should consult Waterfall Security and the Nozomi advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41275 for an updated firmware build beyond 7.9.1.0 R2502171040 and apply it as soon as it is offered. Until a fixed firmware is installed, restrict reachability to the Console WebUI by placing the management interface on a dedicated out-of-band management VLAN, enforcing firewall ACLs that permit access only from a small set of trusted administrative jump hosts, and disabling any direct WAN or IT-network exposure of the WebUI port - these controls effectively gate the network attack vector but introduce operational friction for remote administration and require strict jump-host hygiene. Add network detection for unexpected POST/parameter activity against the WebUI and monitor the appliance for anomalous outbound connections or unexpected process execution, since compromise of a unidirectional gateway undermines the OT segmentation it enforces.
Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated
Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers
Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac
Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta
Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al
OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209995
GHSA-x8xj-254q-5cfr