PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-41273 Waterfall CVE debrief

A critical authentication bypass vulnerability exists in the Console WebUI of Waterfall WF-500 TX and RX Hosts running firmware version 7.9.1.0 R2502171040. Nozomi Networks Labs identified this flaw as CWE-288: Authentication Bypass Using an Alternate Path or Channel. Remote unauthenticated attackers can exploit this weakness to bypass authentication entirely and perform actions as an authenticated user on the Console web application. The vulnerability carries a CVSS 4.0 base score of 9.3 (Critical), reflecting severe impact to confidentiality, integrity, and availability with network attack vector, low attack complexity, and no privileges or user interaction required. The affected product is the Waterfall WF-500, an industrial cybersecurity hardware platform used for unidirectional data diode and gateway deployments in operational technology environments. The CPE configuration indicates the firmware is vulnerable through version 7.9.1.0 R2502171040, with no explicit fixed version specified in available data. The vulnerability was published in the NVD on May 29, 2026, with a subsequent modification on June 1, 2026. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor
Waterfall
Product
WF-500
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-06-01
Advisory published
2026-05-29
Advisory updated
2026-06-01

Who should care

Organizations deploying Waterfall WF-500 TX or RX Hosts for industrial network segmentation and unidirectional gateway functions should prioritize response. Security teams in critical infrastructure, manufacturing, energy, and other OT-dependent sectors using Waterfall products for data diode implementations are directly affected. Network defenders responsible for monitoring and managing remote access to industrial cybersecurity appliances should assess exposure immediately.

Technical summary

The vulnerability resides in the Console WebUI component of Waterfall WF-500 TX and RX Hosts. An alternate path or channel exists that allows remote attackers to circumvent the authentication mechanism entirely. Successful exploitation grants the attacker the full capabilities of an authenticated user within the web application context. The attack requires network access to the WebUI but no valid credentials, making it exploitable by any reachable unauthenticated actor. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H) confirms high impacts across confidentiality, integrity, and availability dimensions with minimal attack requirements.

Defensive priority

critical

Recommended defensive actions

  • Restrict network access to Waterfall WF-500 Console WebUI interfaces to trusted administrative hosts only; do not expose management interfaces to untrusted or internet-facing networks.
  • Monitor for unauthorized access attempts to WF-500 Console WebUI endpoints, particularly successful authentication events from unexpected source addresses or without corresponding valid credential use.
  • Apply security updates from Waterfall Security when available; verify firmware version and consult vendor advisory for patch availability beyond version 7.9.1.0 R2502171040.
  • Review and validate WebUI access controls, ensuring multi-factor authentication and session management mechanisms are enforced where technically feasible.
  • Conduct network segmentation assessments to ensure WF-500 management interfaces are isolated from operational technology process networks and untrusted zones.

Evidence notes

The vulnerability classification as CWE-288 and CVSS 4.0 vector are sourced from NVD analysis records. The affected product and version constraints are derived from CPE criteria published in the NVD entry. The vendor attribution to Waterfall Security is based on CPE vendor naming with medium confidence.

Official resources

Nozomi Networks Labs disclosed this vulnerability to Waterfall Security. The advisory was published as a vendor advisory on May 29, 2026.