Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
AnalysisAI
Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated network attackers to inject and execute arbitrary OS commands through the Console WebUI. Discovered by Nozomi Networks Labs, the flaw carries a CVSS 4.0 score of 9.3 with no required privileges or user interaction; no public exploit identified at time of analysis, and EPSS sits at 1.02% (78th percentile).
Technical ContextAI
Waterfall WF-500 is an industrial unidirectional security gateway used in OT/ICS environments to enforce one-way data flows between segmented networks (typical of pairs of TX/RX hosts bridging IT and OT zones). The defect is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning user-controllable input reaches an underlying shell or system() invocation in the Console WebUI without proper sanitization or use of safe APIs such as parameterized exec calls. Per the CPE entry cpe:2.3:a:waterfall:wf-500, the management web interface is the attack surface, and a successful injection grants the attacker code execution in the context of the WebUI process on the gateway host.
RemediationAI
No vendor-released patch identified at time of analysis from the provided inputs; consult the Nozomi advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41276 and contact Waterfall Security for a fixed firmware build superseding 7.9.1.0 R2502171040. Until a patched build is applied, restrict network reachability to the Console WebUI by placing it behind a dedicated management VLAN with ACLs that permit only known administrator workstations, block the WebUI TCP port at perimeter and intra-OT firewalls (side effect: remote operators must use jump hosts), and disable the WebUI service entirely if administration can be performed via an out-of-band channel (side effect: loss of in-band GUI management). Monitor the appliance for anomalous outbound connections or new processes spawned from the WebUI service account as a detection compensating control.
Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021
Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers
Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac
Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta
Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al
OS command injection in the Administration WebUI of Waterfall WF-500 TX Host version 7.9.1.0 R2502171040 enables authent
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209996
GHSA-w3pq-9jqc-2q4g