PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-41271 Waterfall CVE debrief

A path traversal vulnerability in Waterfall WF-500 TX/RX Hosts allows remote unauthenticated attackers to read arbitrary files via the Console WebUI. The flaw, identified as CWE-23 (Relative Path Traversal), affects firmware version 7.9.1.0 R2502171040 and was disclosed by Nozomi Networks Labs. The CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high confidentiality impact to the vulnerable system. No known exploitation in ransomware campaigns has been documented.

Vendor
Waterfall
Product
WF-500
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-06-01
Advisory published
2026-05-29
Advisory updated
2026-06-01

Who should care

Organizations operating Waterfall WF-500 unidirectional gateway or data diode deployments in industrial control system (ICS) or operational technology (OT) environments. Security teams responsible for OT network segmentation, vulnerability management programs covering ICS assets, and incident response functions monitoring for unauthorized file access on critical infrastructure boundary devices.

Technical summary

The Waterfall WF-500 TX and RX Hosts running firmware version 7.9.1.0 R2502171040 contain a relative path traversal vulnerability (CWE-23) in the Console WebUI component. An unauthenticated remote attacker can exploit insufficient input validation to construct requests that traverse the file system, enabling arbitrary file read from the device. The attack requires network access to the WebUI with no authentication credentials. Confidentiality impact to the vulnerable system is rated HIGH per CVSS 4.0; integrity and availability impacts are rated NONE. The vulnerability does not affect downstream system confidentiality, integrity, or availability per the CVSS vector.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict network access to the Console WebUI to authorized administrative hosts only; implement network segmentation to prevent untrusted network reachability to WF-500 management interfaces
  • Apply vendor-supplied firmware updates when available from Waterfall Security; verify version exceeds 7.9.1.0 R2502171040
  • Monitor WebUI access logs for anomalous path traversal patterns including sequences such as '../' or encoded variants in HTTP requests
  • Review file system access controls on the device to limit readable paths in the event of traversal exploitation
  • Validate that Web application firewalls or reverse proxies in front of the Console WebUI enforce strict input validation and path normalization

Evidence notes

CPE data confirms affected firmware: cpe:2.3:o:waterfall-security:wf-500_firmware:*:*:*:*:*:*:*:* with version end including 7.9.1.0_r2502171040. The hardware platform WF-500 is listed as not vulnerable (cpe:2.3:h:waterfall-security:wf-500:-:*:*:*:*:*:*:*). CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. Weakness enumeration: CWE-23 from primary source [email protected].

Official resources

Nozomi Networks Labs reported this vulnerability to Waterfall Security. The CVE was published on 2026-05-29 and last modified on 2026-06-01.