HIGH 7.8

CVE-2025-41278: Waterfall WF-500 RX Host Out-of-Bounds Read Remote Code Execution

A memory read vulnerability exists in Waterfall Security's WF-500 RX Host (version 7.10.0.0 R2601141040) that allows an attacker with access to the TX Host to execute arbitrary code. The flaw stems from improper memory access controls, enabling an authenticated insider to move laterally within the Waterfall appliance and gain control of the receive-side components. This is a serious concern for organizations using Waterfall's unidirectional security gateways, as it undermines the trust boundary between the TX and RX sides of the architecture.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-125
Affected products
2 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to the TX Host to execute code on the RX Host.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-41278 is an out-of-bounds read vulnerability (CWE-125) in Waterfall WF-500 RX Host that can be exploited to achieve remote code execution. The vulnerability allows a local, authenticated attacker on the TX Host to read memory beyond intended boundaries and leverage this access to execute code on the RX Host. The CVSS 3.1 score of 7.8 reflects high impact across confidentiality, integrity, and availability, with a local attack vector and low attack complexity. The vulnerability affects version 7.10.0.0 R2601141040 and potentially other versions of the WF-500 firmware.

Business impact

The WF-500 is critical infrastructure in many industrial and sensitive networks, functioning as a unidirectional security gateway to enforce information flow policies. Compromise of the RX Host undermines the core security model and could allow attackers to alter, exfiltrate, or disrupt data transiting through the gateway. For organizations relying on Waterfall for network segmentation in OT/ICS environments, this vulnerability represents a path to lateral movement and potential sabotage of protected systems. The ability to execute code on the RX Host could also facilitate persistence and further reconnaissance.

Affected systems

Waterfall WF-500 RX Host running version 7.10.0.0 R2601141040 is confirmed affected. Organizations should verify whether they are running this specific version or related builds and check with Waterfall Security for a comprehensive list of affected firmware versions. The vulnerability requires TX Host access, which typically means internal network or supply-chain compromises, but organizations with shared or multi-tenant TX deployments face elevated risk.

Exploitability

Exploitation requires prior access to the TX Host and valid credentials or privileged execution context on that host. The attack complexity is low once that foothold is established, making it a logical next step for a sophisticated internal threat or supply-chain adversary. The vulnerability is not known to be exploited in the wild or included in the CISA KEV catalog as of the latest update, but the low technical barrier post-compromise suggests it could be weaponized quickly by threat actors familiar with Waterfall internals.

Remediation

Waterfall Security should issue a patched firmware version addressing the out-of-bounds read and enforcing proper memory access controls between the TX and RX hosts. Organizations must update to a corrected version as soon as it becomes available. Until patching is complete, implement strict access controls to the TX Host, segment networks to limit lateral movement opportunities, and monitor for suspicious memory access patterns or code execution anomalies.

Patch guidance

Wait for an official firmware update from Waterfall Security that resolves CVE-2025-41278. Contact Waterfall support or consult their security advisory for the corrected version number and timeline. Do not assume that simply updating to a newer version addresses this flaw—verify the specific build number against the vendor's advisory. Test patches in a lab environment mirroring your production WF-500 configuration before deployment, as firmware updates may impact unidirectional gateway operations. Plan for potential downtime during patching.

Detection guidance

Monitor WF-500 logs for unusual process creation or code execution on the RX Host, particularly if triggered from TX-side activity. Track memory access anomalies or segmentation faults that may indicate exploitation attempts. Enable detailed audit logging on both TX and RX hosts if available. Use host-based intrusion detection or endpoint security tools to flag unexpected binary execution or privilege escalation on the RX side. Correlate TX-side authentication and activity logs with RX-side events to identify lateral movement patterns.

Why prioritize this

Although not yet in active exploitation or on the CISA KEV list, this vulnerability scores 7.8 (HIGH) and directly threatens the security model of a critical infrastructure protection appliance. The combination of high impact (code execution on RX Host) and the low barrier to exploitation once TX access is gained makes this a significant concern for defense-in-depth. Organizations using WF-500 in OT/ICS or other high-assurance environments should prioritize patching ahead of general software updates.

Risk score, explained

The CVSS 3.1 score of 7.8 reflects the severity: local attack vector and low complexity for an authenticated attacker, combined with high impact on confidentiality, integrity, and availability. The score appropriately captures the real-world risk of code execution on a critical gateway device, even though exploitation requires prior TX Host access. The lack of network adjacency (AV:L) and requirement for valid credentials (PR:L) prevent a maximum score, but the potential for lateral movement and persistent compromise justifies the HIGH severity rating.

Frequently asked questions

What is the practical attack scenario for this vulnerability?

An attacker with access to the WF-500 TX Host (through compromised credentials, insider threat, or supply-chain compromise) exploits the out-of-bounds read to gain the ability to execute code on the RX Host. This allows them to bypass the security controls that Waterfall's unidirectional design is meant to enforce and potentially exfiltrate, modify, or disrupt data flowing through the gateway.

Does this vulnerability require network access from outside my organization?

No. Exploitation requires local or authenticated access to the TX Host first. This means the attacker must already be inside your network or have compromised TX Host credentials. However, for organizations in multi-tenant or cloud-based deployments, or those where TX Host access is more broadly distributed, the risk is heightened.

Is there a workaround if I cannot patch immediately?

There is no known workaround that fully mitigates the vulnerability without a patch. Implement compensating controls: restrict TX Host access to a minimal set of trusted users, segment networks to isolate the WF-500 from other systems, and monitor RX Host activity for signs of unauthorized code execution. These measures reduce risk but do not eliminate it.

How do I determine if my WF-500 is running the affected version?

Check the firmware version and build number (R2601141040) from the WF-500 management interface or system information. Version 7.10.0.0 R2601141040 is confirmed affected. Contact Waterfall Security to confirm whether other builds or versions are also vulnerable and to obtain the corrected firmware version number.

This analysis is based on publicly available information as of the vulnerability's publication date and the vendor's advisory. Organizations should verify all patch version numbers and timelines directly with Waterfall Security before deployment. The absence of a CVE entry in the CISA Known Exploited Vulnerabilities catalog does not guarantee the vulnerability is not being exploited—apply patches on a risk-appropriate schedule. No exploit proof-of-concept code is provided. This information is provided for educational and defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).