PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-41266 Waterfall CVE debrief

A high-severity OS command injection vulnerability exists in the Administration WebUI of the Waterfall WF-500 TX Host, affecting firmware version 7.9.1.0 R2502171040 and earlier. Nozomi Networks Labs identified this flaw as CWE-78, where special elements are improperly neutralized in an OS command. A remote attacker with administrative authentication can exploit this weakness to execute arbitrary operating system commands on the affected host. The vulnerability was published on May 29, 2026, with a subsequent modification on June 1, 2026. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor
Waterfall
Product
WF-500
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-06-01
Advisory published
2026-05-29
Advisory updated
2026-06-01

Who should care

Organizations deploying Waterfall WF-500 TX Host devices in industrial control system (ICS) or operational technology (OT) environments should prioritize assessment and remediation. Security teams responsible for OT/ICS network security, asset owners in critical infrastructure sectors, and administrators managing Waterfall Security unidirectional gateway products are directly affected. The authenticated nature of this vulnerability means organizations with strong administrative access controls face reduced but not eliminated risk.

Technical summary

The Waterfall WF-500 TX Host firmware version 7.9.1.0 R2502171040 contains an OS command injection vulnerability (CWE-78) in its Administration WebUI. The flaw arises from improper neutralization of special elements used in OS commands. An attacker with administrative privileges can remotely inject and execute arbitrary operating system commands on the host. The vulnerability requires high privileges (administrative access) but no user interaction, with low attack complexity. Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the affected system.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict administrative access to the WF-500 TX Host Administration WebUI to trusted networks and authorized personnel only.
  • Apply firmware updates from Waterfall Security when available to address the command injection vulnerability.
  • Monitor WebUI access logs for anomalous administrative activity or unexpected command execution patterns.
  • Implement network segmentation to limit exposure of the WF-500 TX Host Administration WebUI to untrusted networks.
  • Review and validate input sanitization mechanisms in WebUI components as part of defense-in-depth.

Evidence notes

The vulnerability is classified as CWE-78 (OS Command Injection) per the primary weakness source. The affected product is the Waterfall WF-500 TX Host with firmware version 7.9.1.0 R2502171040 and earlier, as specified in NVD CPE criteria. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no attack requirements, high privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability of the vulnerable system. The hardware component (WF-500) is marked as not vulnerable, while the firmware is the vulnerable component.

Official resources

Nozomi Networks Labs disclosed this vulnerability to Waterfall Security. The advisory was published as a vendor advisory on May 29, 2026.