CVE-2025-41272 Waterfall CVE debrief

Who should care

Organizations deploying Waterfall WF-500 unidirectional gateway or data diode products for OT/ICS network segmentation should prioritize this vulnerability. The unauthenticated nature and critical impact make this especially concerning for critical infrastructure operators relying on these devices for air-gap enforcement and secure data transfer between IT and OT networks.

Technical summary

The Waterfall WF-500 TX and RX Hosts running firmware version 7.9.1.0 R2502171040 contain an OS command injection vulnerability (CWE-78) in the Console WebUI component. An unauthenticated remote attacker can exploit improper neutralization of special elements to execute arbitrary operating system commands on the device. The attack requires network access to the WebUI with no authentication, resulting in complete compromise of device confidentiality, integrity, and availability.

Defensive priority

critical

Recommended defensive actions

• Restrict network access to the Waterfall WF-500 Console WebUI to authorized administrative hosts only
• Apply vendor-supplied firmware updates when available from Waterfall Security
• Monitor WebUI access logs for anomalous requests that may indicate command injection attempts
• Segment WF-500 management interfaces from operational networks per ICS security best practices
• Review and validate input sanitization on any WebUI-facing services in the environment

Evidence notes

CPE data confirms affected product as Waterfall Security WF-500 firmware at version 7.9.1.0_r2502171040 and earlier. The hardware component (WF-500) is listed as not vulnerable, indicating the firmware is the affected component. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N.

Official resources