HIGH 7.5

CVE-2025-41271: Waterfall WF-500 Path Traversal – Arbitrary File Read Vulnerability

A path traversal vulnerability exists in the Waterfall WF-500 Console WebUI that allows attackers to read sensitive files from affected devices without requiring authentication. The flaw stems from improper handling of relative file paths, enabling an attacker to navigate outside intended directories and access arbitrary files on the system. This is a remote attack requiring only network access—no user interaction or special privileges needed.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-23
Affected products
2 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to read arbitrary files from the device.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-41271 is a CWE-23 Relative Path Traversal vulnerability affecting the Console WebUI component of Waterfall WF-500 TX and RX Hosts running firmware version 7.9.1.0 R2502171040. The vulnerability allows unauthenticated remote attackers to construct specially crafted requests that bypass path restrictions, resulting in unauthorized read access to arbitrary files. The CVSS 3.1 score of 7.5 (HIGH) reflects the high confidentiality impact, network-based attack vector, and lack of authentication or user interaction requirements. The integrity and availability of the device are not affected by this vulnerability.

Business impact

Unauthorized file disclosure on Waterfall WF-500 devices could expose sensitive operational technology data, configuration files, logs, and credentials stored on affected hosts. In industrial and critical infrastructure environments where WF-500 devices typically operate, this breach of confidentiality may lead to reconnaissance for follow-up attacks, compliance violations, or operational disruption if sensitive process control information is disclosed. Organizations relying on WF-500 for network segmentation or monitoring should treat this as a prompt remediation priority.

Affected systems

The vulnerability affects Waterfall Security's WF-500 firmware, specifically version 7.9.1.0 R2502171040. Both TX (transmitter) and RX (receiver) host variants are impacted. Verify whether your deployed WF-500 instances match this version and scope firmware updates accordingly. Waterfall should be consulted for information on whether earlier or later firmware versions are affected.

Exploitability

This vulnerability is highly exploitable. It requires only network connectivity to the Console WebUI—no authentication, no special privileges, and no user interaction. An attacker can remotely and repeatedly attempt path traversal payloads to exfiltrate files. The attack surface is broad: any network-reachable WF-500 device with the vulnerable firmware is at risk. Exploitation is straightforward from an attacker perspective, involving simple HTTP-based path manipulation.

Remediation

Organizations must update WF-500 firmware to a patched version released by Waterfall Security. Until a patch is available and deployed, implement network access controls to restrict Console WebUI access to trusted administrative networks only. Disable remote WebUI access if not operationally required. Monitor for suspicious file-read patterns in logs. Verify the fix against Waterfall's advisory before deploying to production.

Patch guidance

Contact Waterfall Security for patched firmware versions addressing CVE-2025-41271. Apply patches during a maintenance window to minimize operational disruption. Test patches in a staging environment mirroring production WF-500 configurations before full deployment. After patching, verify that the Console WebUI properly validates and restricts file path access. Document patch deployment dates and versions for compliance and audit trails.

Detection guidance

Search network logs and web server access logs for unusual path traversal patterns (e.g., sequences of ../ or ..\) directed at the WF-500 Console WebUI endpoints. Monitor for HTTP requests attempting to access system files or configuration paths outside the intended application directories. Implement IDS/IPS signatures targeting relative path traversal attacks. Alert on repeated failed or successful file-read attempts from untrusted source IPs. If available, enable debug logging on the WF-500 to capture attempted path traversal payloads.

Why prioritize this

CVE-2025-41271 merits urgent remediation due to its HIGH CVSS score (7.5), unauthenticated remote attack vector, and direct confidentiality impact. Industrial environments depend on WF-500 for network segmentation and monitoring; compromise of this trust boundary via unauthorized file disclosure poses significant risk to operational continuity and safety. The ease of exploitation and lack of user-interaction requirements make this a high-priority target for threat actors conducting reconnaissance in ICS/OT environments.

Risk score, explained

The CVSS 3.1 score of 7.5 reflects: (1) Network-based attack vector with no authentication required; (2) Low attack complexity—exploitation requires straightforward path manipulation; (3) High confidentiality impact—arbitrary file read access; (4) No integrity or availability compromise; (5) Scope unchanged. The HIGH severity is justified by the combination of ease of exploitation and direct exposure of sensitive operational data in critical infrastructure contexts.

Frequently asked questions

Is this vulnerability being actively exploited in the wild?

As of the last update, this CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, absence from KEV does not mean exploitation is unlikely. The straightforward nature of path traversal attacks makes opportunistic exploitation probable once the vulnerability becomes widely known. Monitor threat intelligence feeds and Waterfall Security advisories for active exploitation reports.

Can I mitigate this vulnerability without patching?

Complete mitigation requires a firmware patch from Waterfall Security. Temporary mitigations include: restricting Console WebUI network access via firewall rules, disabling remote access if not operationally critical, and implementing network segmentation to limit blast radius. These measures reduce attack surface but do not eliminate the underlying flaw.

What files could an attacker access?

Relative path traversal allows attackers to read any file accessible by the WebUI process, potentially including system configuration files, logs, credentials, and application data. The exact scope depends on the WF-500 filesystem layout and process permissions. Organizations should assume sensitive operational data could be exposed.

Does this affect my WF-500 if I've disabled the WebUI?

If the Console WebUI is disabled or unreachable on your network, this vulnerability cannot be exploited. Verify that your WF-500 instances have WebUI access restricted to trusted networks or disabled entirely. Confirm this configuration across all deployed devices.

This analysis is based on published vulnerability data as of the source date. Patch availability, KEV status, and active exploitation status may change. Organizations should verify all technical details and patch guidance against official Waterfall Security advisories before deploying updates. SEC.co does not provide exploit code or step-by-step attack instructions. This analysis is for defensive security purposes only and should inform risk-based prioritization of patching and mitigation activities. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).