HIGH 7.2

CVE-2025-41267: Waterfall WF-500 TX Host Command Injection Vulnerability

A command injection vulnerability exists in the Waterfall WF-500 TX Host administration web interface that allows authenticated administrators to execute arbitrary operating system commands. An attacker with administrative credentials can craft malicious input through the WebUI to bypass command sanitization and gain direct OS-level access to the device. This is a post-authentication attack requiring valid admin credentials, but once exploited, provides complete system compromise.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-78
Affected products
2 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-41267 is an OS command injection flaw (CWE-78) in the WF-500 TX Host Administration WebUI. The vulnerability stems from improper neutralization of special elements in OS command construction. An authenticated attacker with administrative privileges can inject shell metacharacters through WebUI input fields that are passed unsanitized to OS command execution contexts. The CVSS 3.1 score of 7.2 (HIGH) reflects high impact across confidentiality, integrity, and availability with network accessibility and low attack complexity, though exploitation requires high-privilege authentication.

Business impact

Successful exploitation compromises the integrity and availability of critical Waterfall WF-500 TX Host deployments, which are typically deployed in industrial control and operational technology environments. An attacker with admin access could modify system configurations, exfiltrate sensitive process data, disable safety monitoring, or introduce persistent backdoors. The blast radius extends to any systems or processes the WF-500 device monitors or controls, making this a significant risk for organizations using Waterfall devices in critical infrastructure.

Affected systems

Waterfall Security WF-500 TX Host running firmware version 7.9.1.0 R2502171040 is confirmed vulnerable. Organizations should verify whether their WF-500 deployments are running this specific version or earlier versions with the same code path. Waterfall Security has responsibility for confirming the full range of affected firmware versions and whether WF-500 RX or other Waterfall products contain the same code.

Exploitability

Exploitation requires remote network access to the WebUI and valid administrative credentials. This restricts the attack surface to adversaries who have already compromised or obtained admin credentials, making it a post-authentication, high-privilege attack. However, the attack complexity is low—no special techniques or race conditions are required once credentials are obtained. This makes it an effective persistence and lateral movement vector for sophisticated threat actors already inside a network with admin-level access.

Remediation

Apply the firmware patch released by Waterfall Security that addresses CWE-78 command injection in the Administration WebUI. Organizations should obtain the specific patched firmware version from Waterfall Security and follow their recommended update procedures. Until patching is possible, restrict administrative WebUI access to trusted networks using network segmentation and monitor for suspicious administrative activity.

Patch guidance

Contact Waterfall Security for the patched firmware version that remediates this vulnerability. Verify the patch version in the vendor advisory before deployment. Deploy updates in a controlled manner consistent with your ICS/OT change management procedures, including pre-deployment testing in non-production environments. Document baseline configurations before patching to aid in rollback if needed. Coordinate patching windows with operational stakeholders to minimize disruption to monitored systems.

Detection guidance

Monitor WF-500 TX Host Administration WebUI access logs for unusual command patterns, particularly input containing shell metacharacters (semicolons, pipes, backticks, dollar signs, parentheses) in form submissions. Establish baselines for legitimate administrative commands and alert on deviations. Implement network-based detection for suspicious WebUI traffic using intrusion detection signatures focusing on OS command injection payloads. Review audit logs for administrative account activity, particularly privilege changes or system configuration modifications that coincide with WebUI access anomalies.

Why prioritize this

Despite requiring authenticated access, this vulnerability should be prioritized as HIGH. OS command injection in an ICS/OT device provides complete system compromise capability. The WF-500's role as a security monitoring and segregation device means its compromise undermines the security posture of entire industrial networks. The combination of HIGH CVSS score, direct OS access impact, and typical deployment in critical infrastructure environments warrants prompt patching.

Risk score, explained

CVSS 3.1 score of 7.2 reflects: high impact (complete confidentiality, integrity, and availability compromise) balanced against the requirement for remote network access and high-privilege authentication. Network accessibility and low attack complexity increase the score, while the high privilege requirement (PR:H) provides meaningful mitigation. In ICS/OT contexts, the base score understates risk because the WF-500's criticality and typical network segmentation placement amplify potential impact.

Frequently asked questions

Does this vulnerability affect WF-500 RX Host devices or only TX Host?

The vulnerability is confirmed in WF-500 TX Host. Organizations should verify with Waterfall Security whether WF-500 RX, gateway models, or other product variants contain the same vulnerable code path.

Can the attack be executed without administrative credentials?

No. Exploitation requires valid administrative credentials to access the WebUI. However, compromised or leaked admin credentials significantly lower the barrier to exploitation compared to unauthenticated attacks.

What is the recommended timeline for patching?

Given the HIGH severity and complete system compromise potential, patches should be applied as soon as vendor updates are available and validated in your environment. Organizations unable to patch immediately should implement compensating controls such as network segmentation and access restrictions.

How does this affect security monitoring if the WF-500 itself is compromised?

An attacker with OS-level access to the WF-500 could disable monitoring, falsify logs, or bypass segregation functions. This makes credential security and network access controls critical supplementary defenses.

This analysis is based on the published CVE description and CVSS vector. Organizations should verify affected firmware versions, obtain official patches from Waterfall Security, and conduct their own risk assessment based on deployment architecture and network segmentation controls. No exploit code or weaponized proof-of-concept is provided herein. This vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).