CVE-2025-41278: Waterfall WF-500 RX Host Out-of-Bounds Read Remote Code Execution
A memory read vulnerability exists in Waterfall Security's WF-500 RX Host (version 7.10.0.0 R2601141040) that allows an attacker with access to the TX Host to execute arbitrary code. The flaw stems from improper memory access controls, enabling an authenticated insider to move laterally within the Waterfall appliance and gain control of the receive-side components. This is a serious concern for organizations using Waterfall's unidirectional security gateways, as it undermines the trust boundary between the TX and RX sides of the architecture.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-125
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to the TX Host to execute code on the RX Host.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-41278 is an out-of-bounds read vulnerability (CWE-125) in Waterfall WF-500 RX Host that can be exploited to achieve remote code execution. The vulnerability allows a local, authenticated attacker on the TX Host to read memory beyond intended boundaries and leverage this access to execute code on the RX Host. The CVSS 3.1 score of 7.8 reflects high impact across confidentiality, integrity, and availability, with a local attack vector and low attack complexity. The vulnerability affects version 7.10.0.0 R2601141040 and potentially other versions of the WF-500 firmware.
Business impact
The WF-500 is critical infrastructure in many industrial and sensitive networks, functioning as a unidirectional security gateway to enforce information flow policies. Compromise of the RX Host undermines the core security model and could allow attackers to alter, exfiltrate, or disrupt data transiting through the gateway. For organizations relying on Waterfall for network segmentation in OT/ICS environments, this vulnerability represents a path to lateral movement and potential sabotage of protected systems. The ability to execute code on the RX Host could also facilitate persistence and further reconnaissance.
Affected systems
Waterfall WF-500 RX Host running version 7.10.0.0 R2601141040 is confirmed affected. Organizations should verify whether they are running this specific version or related builds and check with Waterfall Security for a comprehensive list of affected firmware versions. The vulnerability requires TX Host access, which typically means internal network or supply-chain compromises, but organizations with shared or multi-tenant TX deployments face elevated risk.
Exploitability
Exploitation requires prior access to the TX Host and valid credentials or privileged execution context on that host. The attack complexity is low once that foothold is established, making it a logical next step for a sophisticated internal threat or supply-chain adversary. The vulnerability is not known to be exploited in the wild or included in the CISA KEV catalog as of the latest update, but the low technical barrier post-compromise suggests it could be weaponized quickly by threat actors familiar with Waterfall internals.
Remediation
Waterfall Security should issue a patched firmware version addressing the out-of-bounds read and enforcing proper memory access controls between the TX and RX hosts. Organizations must update to a corrected version as soon as it becomes available. Until patching is complete, implement strict access controls to the TX Host, segment networks to limit lateral movement opportunities, and monitor for suspicious memory access patterns or code execution anomalies.
Patch guidance
Wait for an official firmware update from Waterfall Security that resolves CVE-2025-41278. Contact Waterfall support or consult their security advisory for the corrected version number and timeline. Do not assume that simply updating to a newer version addresses this flaw—verify the specific build number against the vendor's advisory. Test patches in a lab environment mirroring your production WF-500 configuration before deployment, as firmware updates may impact unidirectional gateway operations. Plan for potential downtime during patching.
Detection guidance
Monitor WF-500 logs for unusual process creation or code execution on the RX Host, particularly if triggered from TX-side activity. Track memory access anomalies or segmentation faults that may indicate exploitation attempts. Enable detailed audit logging on both TX and RX hosts if available. Use host-based intrusion detection or endpoint security tools to flag unexpected binary execution or privilege escalation on the RX side. Correlate TX-side authentication and activity logs with RX-side events to identify lateral movement patterns.
Why prioritize this
Although not yet in active exploitation or on the CISA KEV list, this vulnerability scores 7.8 (HIGH) and directly threatens the security model of a critical infrastructure protection appliance. The combination of high impact (code execution on RX Host) and the low barrier to exploitation once TX access is gained makes this a significant concern for defense-in-depth. Organizations using WF-500 in OT/ICS or other high-assurance environments should prioritize patching ahead of general software updates.
Risk score, explained
The CVSS 3.1 score of 7.8 reflects the severity: local attack vector and low complexity for an authenticated attacker, combined with high impact on confidentiality, integrity, and availability. The score appropriately captures the real-world risk of code execution on a critical gateway device, even though exploitation requires prior TX Host access. The lack of network adjacency (AV:L) and requirement for valid credentials (PR:L) prevent a maximum score, but the potential for lateral movement and persistent compromise justifies the HIGH severity rating.
Frequently asked questions
What is the practical attack scenario for this vulnerability?
An attacker with access to the WF-500 TX Host (through compromised credentials, insider threat, or supply-chain compromise) exploits the out-of-bounds read to gain the ability to execute code on the RX Host. This allows them to bypass the security controls that Waterfall's unidirectional design is meant to enforce and potentially exfiltrate, modify, or disrupt data flowing through the gateway.
Does this vulnerability require network access from outside my organization?
No. Exploitation requires local or authenticated access to the TX Host first. This means the attacker must already be inside your network or have compromised TX Host credentials. However, for organizations in multi-tenant or cloud-based deployments, or those where TX Host access is more broadly distributed, the risk is heightened.
Is there a workaround if I cannot patch immediately?
There is no known workaround that fully mitigates the vulnerability without a patch. Implement compensating controls: restrict TX Host access to a minimal set of trusted users, segment networks to isolate the WF-500 from other systems, and monitor RX Host activity for signs of unauthorized code execution. These measures reduce risk but do not eliminate it.
How do I determine if my WF-500 is running the affected version?
Check the firmware version and build number (R2601141040) from the WF-500 management interface or system information. Version 7.10.0.0 R2601141040 is confirmed affected. Contact Waterfall Security to confirm whether other builds or versions are also vulnerable and to obtain the corrected firmware version number.
This analysis is based on publicly available information as of the vulnerability's publication date and the vendor's advisory. Organizations should verify all patch version numbers and timelines directly with Waterfall Security before deployment. The absence of a CVE entry in the CISA Known Exploited Vulnerabilities catalog does not guarantee the vulnerability is not being exploited—apply patches on a risk-appropriate schedule. No exploit proof-of-concept code is provided. This information is provided for educational and defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0076HIGHAndroid ResourceTypes.cpp Out-of-Bounds Read Privilege Escalation
- CVE-2026-10017HIGHChrome Sandbox Escape via Out-of-Bounds Read in Headless Mode
- CVE-2026-10889HIGHCritical ANGLE Sandbox Escape in Google Chrome – Patch to 149.0.7827.53
- CVE-2026-10927HIGHChrome Sandbox Escape via Dawn Out-of-Bounds Read
- CVE-2026-10930HIGHChrome ANGLE Out-of-Bounds Read on macOS
- CVE-2026-10941HIGHSkia Out-of-Bounds Memory Vulnerability in Chrome – Urgent Patch Required
- CVE-2026-11015HIGHCritical Chrome WebGPU Out-of-Bounds Read Vulnerability
- CVE-2026-38570HIGHbacnet_stack Out-of-Bounds Read Denial of Service Vulnerability