Skip to main content

Waterfall WF-500 EUVDEUVD-2025-210000

| CVE-2025-41280 HIGH
Relative Path Traversal (CWE-23)
2026-05-29 Nozomi GHSA-cf86-3f4j-57g9
7.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
May 29, 2026 - 14:23 vuln.today
CVSS changed
May 29, 2026 - 12:22 NVD
7.5 (HIGH)
CVE Published
May 29, 2026 - 10:59 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Nozomi Networks Labs identified a CWE-23: Relative Path Traversal (Zip Slip) in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured and file compression is enabled.

AnalysisAI

Relative path traversal (Zip Slip) in Waterfall WF-500 RX Host version 7.9.1.0 R2502171040 enables code execution on the RX side when attackers already control the TX Host and the deployment uses a MySQL connector with file compression enabled. The flaw, tracked as CWE-23 and reported by Nozomi Networks Labs, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but it meaningfully undermines the data-diode trust boundary the WF-500 is deployed to enforce.

Technical ContextAI

The Waterfall WF-500 is a unidirectional security gateway (data diode) used to enforce one-way data flow between an OT/source side (TX Host) and a destination side (RX Host), commonly bridging industrial control networks into IT or monitoring environments. CPE cpe:2.3:a:waterfall:wf-500 confirms the affected product. CWE-23 (Relative Path Traversal) manifests here as a classic 'Zip Slip' pattern: the RX Host decompresses archives forwarded across the diode but fails to canonicalize or constrain entry paths inside the archive, so an attacker-controlled entry containing '../' sequences can write files outside the intended extraction directory. The bug surfaces specifically along the MySQL connector pipeline when file compression is enabled, because that path is where the RX-side decompression routine handles attacker-influenced archive contents.

RemediationAI

Patch status is ambiguous in the available data - no vendor-released fixed version is independently identified at time of analysis, so contact Waterfall Security Solutions directly referencing CVE-2025-41280 / EUVD-2025-210000 and consult the Nozomi advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41280 for any updated fixed build of WF-500 beyond 7.9.1.0 R2502171040. Until a vendor patch is applied, the most direct compensating control is to disable file compression on the MySQL connector pipeline, which removes the decompression step that triggers the Zip Slip but will increase bandwidth across the diode for MySQL replication flows; alternatively, avoid the MySQL connector path entirely for untrusted TX-side data and harden the TX Host (least privilege, monitoring, integrity controls) so that the prerequisite TX foothold is harder to obtain. Treat the TX-to-RX trust boundary as compromised in monitoring: alert on unexpected file writes on the RX Host outside expected extraction directories.

More in Wf 500

View all
CVE-2025-41277 CRITICAL
9.3 May 29

Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41276 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated

CVE-2025-41275 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021

CVE-2025-41274 CRITICAL
9.3 May 29

Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers

CVE-2025-41272 CRITICAL
9.3 May 29

Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac

CVE-2025-41270 CRITICAL
9.3 May 29

Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo

CVE-2025-41269 CRITICAL
9.3 May 29

Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ

CVE-2025-41273 CRITICAL
9.3 May 29

Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta

CVE-2025-41268 HIGH
8.8 May 29

Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41271 HIGH
8.7 May 29

Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack

CVE-2025-41279 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al

CVE-2025-41266 HIGH
8.6 May 29

Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al

Share

EUVD-2025-210000 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy