Skip to main content

Waterfall WF-500 EUVDEUVD-2025-209998

| CVE-2025-41278 HIGH
Out-of-bounds Read (CWE-125)
2026-05-29 Nozomi GHSA-68g4-7798-227f
7.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 14:24 vuln.today
CVSS changed
May 29, 2026 - 12:22 NVD
7.5 (HIGH)
CVE Published
May 29, 2026 - 10:58 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to the TX Host to execute code on the RX Host.

AnalysisAI

Out-of-bounds read in the Waterfall WF-500 RX Host (firmware 7.10.0.0 R2601141040) enables an attacker who already controls the TX Host to execute code on the receiving (RX) side, bypassing the unidirectional security guarantee the data diode is designed to enforce. Discovered by Nozomi Networks Labs with no public exploit identified at time of analysis and an EPSS score of 0.02%, the issue is significant because it undermines the OT/IT segmentation use case the product exists to provide. The vulnerability is not listed in CISA KEV and there is no evidence of active exploitation.

Technical ContextAI

The Waterfall WF-500 is a hardware-enforced unidirectional security gateway (data diode) widely deployed to bridge OT/ICS networks to IT networks while preventing return traffic. It is implemented as paired TX (transmit) and RX (receive) hosts, where the TX host sends data optically to the RX host. CWE-125 (Out-of-bounds Read) on the RX Host indicates that the RX-side parsing logic for traffic delivered from the TX side reads beyond an allocated buffer boundary, and per the Nozomi advisory this read condition is escalated into code execution on the RX Host. CPE cpe:2.3:a:waterfall:wf-500 confirms the affected product, and the root cause class typically stems from missing length validation on attacker-controlled fields in protocol or frame parsers.

RemediationAI

No vendor-released patch identified at time of analysis from the supplied references; operators should contact Waterfall Security Solutions directly and monitor the Nozomi Networks Labs advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41278 and the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2025-41278 for an updated firmware release superseding 7.10.0.0 R2601141040. Until a fix is available, treat the TX Host as a high-value asset: harden and isolate the TX Host's management plane, restrict administrative network access to it via jump host and MFA, and audit any IT-side systems that can reach the TX Host since TX compromise is the precondition for this attack (trade-off: tighter management-plane restrictions can complicate legitimate operator workflows). Increase monitoring of the data flows traversing the diode and of RX Host process and integrity state to detect anomalous behavior consistent with code execution on the RX side; this is detective rather than preventive, so plan for rapid firmware rollout once vendor patches ship.

More in Wf 500

View all
CVE-2025-41277 CRITICAL
9.3 May 29

Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41276 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated

CVE-2025-41275 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021

CVE-2025-41274 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers

CVE-2025-41272 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac

CVE-2025-41270 CRITICAL
9.3 May 29

Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41269 CRITICAL
9.3 May 29

Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ

CVE-2025-41273 CRITICAL
9.3 May 29

Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta

CVE-2025-41268 HIGH
8.8 May 29

Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41271 HIGH
8.7 May 29

Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41279 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al

CVE-2025-41266 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al

Share

EUVD-2025-209998 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy