PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-41269 Waterfall CVE debrief

A critical OS command injection vulnerability in Waterfall WF-500 TX/RX Hosts allows remote unauthenticated attackers to execute arbitrary operating system commands via the Console WebUI. The flaw, identified by Nozomi Networks Labs as CWE-78, affects firmware version 7.9.1.0 R2502171040 and earlier. The vulnerability carries a CVSS 4.0 score of 9.3 (Critical) with network attack vector, low attack complexity, no privileges required, and no user interaction needed, enabling complete compromise of confidentiality, integrity, and availability of the affected device. The vendor advisory was published by Nozomi Networks Labs and is the primary reference for technical details and remediation guidance.

Vendor
Waterfall
Product
WF-500
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-06-01
Advisory published
2026-05-29
Advisory updated
2026-06-01

Who should care

Organizations deploying Waterfall WF-500 TX or RX Hosts for unidirectional security gateway or data diode functions in operational technology environments, particularly those with Console WebUI access enabled on production or management networks. Security teams responsible for industrial control system infrastructure, critical infrastructure operators, and asset owners relying on Waterfall products for network segmentation should prioritize assessment and remediation.

Technical summary

The vulnerability exists in the Console WebUI component of Waterfall WF-500 TX and RX Hosts running firmware version 7.9.1.0 R2502171040. An improper neutralization of special elements in OS commands (CWE-78) allows remote unauthenticated attackers to inject and execute arbitrary operating system commands on the underlying host. The attack requires network access to the WebUI with no authentication credentials and no user interaction. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) reflects complete impact across confidentiality, integrity, and availability vectors with no scope change. The hardware platform itself (WF-500) is not vulnerable; only firmware versions at or below 7.9.1.0 R2502171040 are affected.

Defensive priority

critical

Recommended defensive actions

  • Immediately restrict network access to the Waterfall WF-500 Console WebUI to trusted administrative hosts only; do not expose the management interface to untrusted or internet-facing networks
  • Apply vendor-supplied firmware updates or patches as soon as available from Waterfall Security; contact the vendor directly if no patch timeline has been published
  • If patching is not immediately feasible, consider placing the device behind a properly configured firewall or jump host that filters and logs all access to the Console WebUI port
  • Review device logs and network traffic for unauthorized access attempts or anomalous command execution patterns targeting the Console WebUI
  • Segment WF-500 devices from operational technology networks where possible to limit lateral movement in case of compromise
  • Ensure incident response plans account for potential unauthenticated remote code execution on affected Waterfall WF-500 TX and RX Hosts

Evidence notes

Vulnerability confirmed through NVD analysis with official vendor advisory from Nozomi Networks Labs. CPE criteria confirm affected firmware versions through 7.9.1.0 R2502171040. CVSS 4.0 vector confirms critical severity with unauthenticated network exploitation path.

Official resources

Nozomi Networks Labs disclosed this vulnerability via vendor advisory. The CVE was published on 2026-05-29 and last modified on 2026-06-01. No known exploitation in ransomware campaigns has been documented, and the vulnerability has notbeen