PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-41270 Waterfall CVE debrief

A critical OS command injection vulnerability (CWE-78) in Waterfall WF-500 TX and RX Hosts allows remote unauthenticated attackers to execute arbitrary operating system commands via the Console WebUI. The vulnerability affects firmware version 7.9.1.0 R2502171040 and was disclosed by Nozomi Networks Labs. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, no user interaction, and high impact to confidentiality, integrity, and availability of the victim device. The affected product is an industrial/gateway security appliance, making this particularly significant for operational technology environments where Waterfall products are typically deployed as unidirectional security gateways. The vendor advisory from Nozomi Networks Labs provides the primary technical disclosure and mitigation guidance.

Vendor
Waterfall
Product
WF-500
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-06-01
Advisory published
2026-05-29
Advisory updated
2026-06-01

Who should care

Organizations operating Waterfall WF-500 TX or RX Hosts in industrial control system or critical infrastructure environments; OT security teams responsible for unidirectional gateway appliances; network administrators managing segmented IT/OT architectures; incident response teams in energy, manufacturing, or other sectors deploying Waterfall products.

Technical summary

The Waterfall WF-500 TX and RX Hosts running firmware version 7.9.1.0 R2502171040 contain an OS command injection vulnerability (CWE-78) in the Console WebUI. A remote unauthenticated attacker can send crafted requests to the WebUI that result in arbitrary operating system command execution on the underlying host. The CVSS 4.0 score of 9.3 reflects the network-accessible attack surface, lack of required authentication or user interaction, and high impacts across confidentiality, integrity, and availability dimensions. Waterfall WF-500 devices function as unidirectional security gateways in industrial environments, meaning compromise could bridge security boundaries between networks. The vulnerability was identified and reported by Nozomi Networks Labs.

Defensive priority

critical

Recommended defensive actions

  • Restrict network access to the WF-500 Console WebUI to authorized administrative hosts only; do not expose the management interface to untrusted or internet-facing networks.
  • Apply patched firmware from Waterfall Security when available; contact Waterfall Security support for remediation timeline if no update is yet published.
  • Monitor WebUI access logs for anomalous requests, especially unexpected POST or GET parameters that may indicate command injection probing.
  • If the WebUI cannot be immediately patched or isolated, consider placing the management interface behind a jump host or out-of-band management network with additional authentication layers.
  • Review and validate any existing network segmentation between IT and OT zones to contain potential lateral movement if the device is compromised.

Evidence notes

CVE published 2026-05-29; modified 2026-06-01. CPE confirms affected product as Waterfall Security WF-500 firmware up to and including version 7.9.1.0_r2502171040. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H. Weakness source: [email protected]. No KEV entry present.

Official resources

2026-05-29