CVE-2025-41265: Waterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
Waterfall Security's WF-500 TX Host contains a command injection flaw in its web-based administration interface. An attacker with valid administrative credentials can inject malicious operating system commands through the web UI, leading to arbitrary command execution on the device itself. This is a post-authentication attack—the attacker must already have admin-level access—but once inside, they can run any OS-level commands the host permits.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-41265 is an OS Command Injection vulnerability (CWE-78) affecting Waterfall WF-500 TX Host version 7.9.1.0 R2502171040. The flaw exists in the Administration WebUI where user-supplied input is not properly sanitized before being passed to an OS command execution function. An authenticated administrator can exploit this by crafting specially formed input that breaks out of the intended command context and injects arbitrary shell commands. The vulnerability requires high-level privileges (PR:H) but has a network attack vector and no user interaction, making it actionable for a compromised admin account.
Business impact
If an insider or an attacker with administrative credentials exploits this flaw, they can fully compromise the WF-500 TX Host—reading sensitive files, modifying system configuration, deploying malware, or disrupting operations. For critical infrastructure environments where Waterfall devices provide network segmentation or air-gap protection, this creates a direct path to lateral movement or persistence. The impact is particularly acute if the admin account has been compromised via credential theft or phishing.
Affected systems
Waterfall Security WF-500 TX Host running firmware version 7.9.1.0 R2502171040 is confirmed vulnerable. Organizations should verify whether they are running this specific version or nearby patch levels. The WF-500 is commonly deployed in OT/critical infrastructure environments for network isolation and secure data transfer; inventory and prioritize patching accordingly.
Exploitability
Exploitation requires valid administrative credentials to access the WebUI—this is not an unauthenticated remote code execution. However, the attack is straightforward once authenticated: no complex exploit logic or user interaction is needed. The vulnerability has not been added to the CISA Known Exploited Vulnerabilities (KEV) catalog as of the last update, meaning active exploitation in the wild has not been publicly confirmed, but this does not rule out targeted use. Organizations should treat this as a critical internal access control risk.
Remediation
Upgrade Waterfall WF-500 TX Host firmware to a patched version released after the vulnerability was identified (published 2026-05-29). Consult Waterfall Security's official advisory for the specific patch version number and compatibility notes. Pending patch deployment, enforce strict administrative access controls: limit who can access the WebUI, use multi-factor authentication if available, monitor admin login activity for anomalies, and restrict network access to the management interface to trusted subnets only.
Patch guidance
Contact Waterfall Security directly or check their security advisory portal for the latest firmware release that addresses CVE-2025-41265. Apply patches in a controlled maintenance window after testing in a staging environment. WF-500 devices in production OT networks may require coordination with operations teams and may need brief downtime. Verify the firmware version before and after patching to confirm successful deployment.
Detection guidance
Monitor access logs for the WF-500 TX Host Administration WebUI, focusing on admin account login frequency and timing anomalies. Log or alert on OS-level command execution originating from the WebUI process. Watch for unusual file I/O or process spawning patterns on the WF-500 itself. Network-based detection is difficult since this is an authenticated, internal attack; endpoint/host-level monitoring and access logs are your primary sensors. Review historical logs for suspicious admin activities, especially command sequences that appear out of character.
Why prioritize this
This scores 7.2 (HIGH) due to high confidentiality, integrity, and availability impact on the affected host, combined with a network attack vector and low attack complexity. While it requires authenticated admin access, the consequences are severe—full system compromise. In OT environments where the WF-500 is used for critical network segmentation, a single compromised admin account becomes a pivot point for wider infrastructure attacks. Prioritize patching in production environments; elevate priority if credential theft or insider threats are a concern in your organization.
Risk score, explained
CVSS 3.1 score of 7.2 reflects: Network-based attack (AV:N), low complexity (AC:L), high privileges required (PR:H), no user interaction needed (UI:N), unchanged scope (S:U), and high impact across confidentiality, integrity, and availability (C:H/I:H/A:H). The high privilege requirement prevents this from being critical (9.0+), but the unrestricted impact once authenticated justifies the HIGH rating. Organizations should treat this as a priority fix for any WF-500 serving critical functions.
Frequently asked questions
Do I need admin credentials to trigger this vulnerability?
Yes. The vulnerability requires remote authentication with administrative privileges to access the WebUI. This means an attacker needs a valid admin account or must first compromise one to exploit the flaw.
Is this vulnerability actively exploited in the wild?
As of the last update, CVE-2025-41265 is not listed on CISA's KEV (Known Exploited Vulnerabilities) catalog, indicating no confirmed active exploitation has been publicly documented. However, the absence of KEV status does not guarantee safety—targeted attacks may still occur without public disclosure.
What should I do if I cannot patch immediately?
Restrict administrative access to the WF-500 WebUI to a minimal set of trusted users. Use network segmentation to limit who can reach the management interface (e.g., VPN, jump hosts, dedicated admin networks). Enable multi-factor authentication if supported. Monitor admin activities closely for anomalies. Create a patching timeline and communicate it to stakeholders.
Does this affect the WF-500 RX side or only the TX Host?
According to the vulnerability report, the flaw is specific to the WF-500 TX Host Administration WebUI. However, if your deployment uses paired TX/RX units, verify the firmware versions on both sides and coordinate patching. Check Waterfall's advisory for any related issues on other WF-500 variants.
This analysis is based on publicly available CVE data as of 2026-06-17. Patch version numbers and specific remediation steps should be verified against Waterfall Security's official security advisory. Organizations should conduct their own risk assessment based on their deployment environment, threat model, and access control posture. No exploit code or proof-of-concept details are provided in this analysis. Always test patches in a non-production environment before deployment to critical infrastructure. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability
- CVE-2026-10273HIGHRemote Code Execution in php-censor Webhook Handler