PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-41265 Waterfall CVE debrief

A remote OS command injection vulnerability (CWE-78) exists in the Administration WebUI of the Waterfall WF-500 TX Host, affecting firmware version 7.9.1.0 R2502171040 and earlier. Discovered by Nozomi Networks Labs and published on 2026-05-29, this flaw allows remote authenticated attackers with administrative privileges to execute arbitrary operating system commands on the affected host. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no required user interaction, and high impact to confidentiality, integrity, and availability. The vulnerability is classified as HIGH severity with a score of 8.6. No known exploitation in ransomware campaigns has been documented, and the vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog.

Vendor
Waterfall
Product
WF-500
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-06-01
Advisory published
2026-05-29
Advisory updated
2026-06-01

Who should care

Organizations deploying Waterfall WF-500 TX Host devices in industrial control system (ICS) and operational technology (OT) environments should prioritize this vulnerability. Security teams responsible for OT network segmentation, asset owners managing unidirectional gateway infrastructure, and compliance officers tracking CVE remediation timelines for critical infrastructure protection standards should take immediate defensive action.

Technical summary

The Waterfall WF-500 TX Host firmware version 7.9.1.0 R2502171040 contains an OS command injection vulnerability in its Administration WebUI. The flaw stems from improper neutralization of special elements in OS commands (CWE-78), enabling remote authenticated attackers to inject and execute arbitrary operating system commands. Successful exploitation grants the attacker full control over the host with high impact to confidentiality, integrity, and availability. Attack complexity is low, requiring no user interaction, though administrative privileges are prerequisite. The vulnerability affects the firmware CPE cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:* up to version 7.9.1.0_r2502171040.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict administrative access to the WF-500 TX Host Administration WebUI to trusted networks and authorized personnel only
  • Apply firmware updates from Waterfall Security when available to address this vulnerability
  • Monitor WebUI access logs for anomalous administrative activity or unexpected command execution patterns
  • Implement network segmentation to limit exposure of the Administration WebUI to untrusted networks
  • Review and validate input sanitization controls in any custom integrations with the WF-500 TX Host
  • Conduct security assessments to verify that administrative credentials are not shared and follow strong authentication practices

Evidence notes

The vulnerability is confirmed through official sources: NVD analyzed status, Nozomi Networks vendor advisory, and CVE.org record. CPE criteria confirm affected firmware versions up to and including 7.9.1.0_r2502171040.

Official resources

Nozomi Networks Labs disclosed this vulnerability to Waterfall Security. The vendor advisory was published and the CVE record was subsequently analyzed and updated by NVD on 2026-06-01.