Severity by source
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Nozomi Networks Labs identified a CWE-23: Relative Path Traversal (Zip Slip) in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured and file compression is enabled.
AnalysisAI
Relative path traversal (Zip Slip) in Waterfall WF-500 RX Host version 7.9.1.0 R2502171040 enables code execution on the RX side when attackers already control the TX Host and the deployment uses a MySQL connector with file compression enabled. The flaw, tracked as CWE-23 and reported by Nozomi Networks Labs, has no public exploit identified at time of analysis and an EPSS of 0.02% (4th percentile), but it meaningfully undermines the data-diode trust boundary the WF-500 is deployed to enforce.
Technical ContextAI
The Waterfall WF-500 is a unidirectional security gateway (data diode) used to enforce one-way data flow between an OT/source side (TX Host) and a destination side (RX Host), commonly bridging industrial control networks into IT or monitoring environments. CPE cpe:2.3:a:waterfall:wf-500 confirms the affected product. CWE-23 (Relative Path Traversal) manifests here as a classic 'Zip Slip' pattern: the RX Host decompresses archives forwarded across the diode but fails to canonicalize or constrain entry paths inside the archive, so an attacker-controlled entry containing '../' sequences can write files outside the intended extraction directory. The bug surfaces specifically along the MySQL connector pipeline when file compression is enabled, because that path is where the RX-side decompression routine handles attacker-influenced archive contents.
RemediationAI
Patch status is ambiguous in the available data - no vendor-released fixed version is independently identified at time of analysis, so contact Waterfall Security Solutions directly referencing CVE-2025-41280 / EUVD-2025-210000 and consult the Nozomi advisory at https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41280 for any updated fixed build of WF-500 beyond 7.9.1.0 R2502171040. Until a vendor patch is applied, the most direct compensating control is to disable file compression on the MySQL connector pipeline, which removes the decompression step that triggers the Zip Slip but will increase bandwidth across the diode for MySQL replication flows; alternatively, avoid the MySQL connector path entirely for untrusted TX-side data and harden the TX Host (least privilege, monitoring, integrity controls) so that the prerequisite TX foothold is harder to obtain. Treat the TX-to-RX trust boundary as compromised in monitoring: alert on unexpected file writes on the RX Host outside expected extraction directories.
Remote OS command execution in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote code execution in Waterfall WF-500 TX and RX Host appliances (version 7.9.1.0 R2502171040) allows unauthenticated
Remote unauthenticated OS command injection in the Waterfall WF-500 TX and RX Host Console WebUI (version 7.9.1.0 R25021
Remote code execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated attackers
Remote unauthenticated OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows attac
Remote OS command injection in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows unauthenticated netwo
Remote command execution in Waterfall WF-500 TX and RX Hosts (version 7.9.1.0 R2502171040) allows unauthenticated networ
Authentication bypass in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated atta
Arbitrary file deletion in Waterfall WF-500 TX/RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Arbitrary file read in Waterfall WF-500 TX and RX Hosts version 7.9.1.0 R2502171040 allows remote unauthenticated attack
Authenticated OS command injection in the Waterfall WF-500 RX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Authenticated OS command injection in the Waterfall WF-500 TX Host Administration WebUI (version 7.9.1.0 R2502171040) al
Same weakness CWE-23 – Relative Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210000
GHSA-cf86-3f4j-57g9