HIGH 7.8

CVE-2025-41280: Waterfall WF-500 RX Host Path Traversal (Zip Slip) Code Execution Vulnerability

Waterfall Security's WF-500 RX Host contains a path traversal vulnerability (Zip Slip) that allows attackers who have already gained access to the TX Host to execute arbitrary code on the RX Host, provided MySQL connector functionality is configured and file compression is enabled. The vulnerability stems from improper handling of file paths during decompression operations, enabling attackers to write files outside their intended directory. This is a privilege escalation concern within an already-compromised environment rather than an initial access vector.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-23
Affected products
2 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

Nozomi Networks Labs identified a CWE-23: Relative Path Traversal (Zip Slip) in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured and file compression is enabled.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2025-41280 is a CWE-23 Relative Path Traversal vulnerability affecting Waterfall WF-500 RX Host version 7.9.1.0 R2502171040. The flaw exists in the file decompression logic when MySQL connector support is active and compression is enabled. An attacker with TX Host access can craft malicious compressed files containing relative path traversals (e.g., '../') that, when extracted by the RX Host, escape the intended extraction directory and overwrite arbitrary files with code execution capability. The attack vector is local (to the TX Host) and requires low privilege, but succeeds without user interaction.

Business impact

Exploitation enables lateral movement and privilege escalation within industrial control system (ICS) networks protected by Waterfall security appliances. A compromised TX Host becomes a pivot point to achieve code execution on the RX Host, potentially disrupting critical process control, data integrity, or triggering failover events. For organizations relying on WF-500 for air-gap enforcement or segmentation, this chain undermines a core security boundary. Downtime for patching or reconfiguration could impact production environments.

Affected systems

Waterfall Security WF-500 RX Host running firmware version 7.9.1.0 R2502171040 is confirmed vulnerable. The attack surface is limited to environments where both the TX Host is already compromised or under attacker control and MySQL connector functionality is configured with compression enabled. Organizations using WF-500 without MySQL connectors or without compression enabled have reduced risk, though vendor verification of scope is recommended.

Exploitability

Exploitation requires an attacker to already possess access to the TX Host—this is not a remote vulnerability. Once positioned on the TX Host, an attacker can craft a specially formed compressed file and introduce it to the replication stream targeting the RX Host. No authentication bypass or social engineering is needed; exploitation is deterministic if preconditions (MySQL connector + compression) are met. No public exploit code or KEV listing exists yet, reducing opportunistic attack likelihood, but the attack chain is straightforward for a skilled threat actor.

Remediation

Apply the latest Waterfall WF-500 firmware release, which addresses path traversal handling during decompression. Verify the patch version against Waterfall's official security advisory and release notes. Additionally, disable file compression on the MySQL connector if not operationally necessary, or restrict TX Host access to trusted administrative interfaces and network segments. Monitor TX-to-RX communication logs for anomalous compressed file transfers.

Patch guidance

Obtain the latest WF-500 firmware release from Waterfall Security's support portal. Verify the build number against their published security advisory to confirm the patch is included. Test the firmware update in a non-production environment first, as ICS appliances often require careful upgrade sequencing. Plan a maintenance window to minimize disruption to critical process data replication. Confirm post-patch that compression and MySQL connector settings are re-enabled only where functionally required.

Detection guidance

Monitor Waterfall WF-500 TX and RX Host logs for unusual file compression or decompression events, particularly those involving path traversal indicators (consecutive dots and slashes) or extraction to unexpected directories. Inspect MySQL connector activity logs for suspicious transactions or changes to replicated data schemas. Network detection can flag abnormally large or malformed compressed payloads on TX-to-RX communication channels. Host-level integrity monitoring (HIDS) on the RX Host can alert on unexpected file creation outside normal replication directories.

Why prioritize this

This vulnerability merits prompt attention despite a moderate attack complexity because it enables code execution in an ICS environment that is typically air-gapped and heavily relied upon for safety and availability. The HIGH CVSS score reflects the impact severity (code execution, privilege escalation) and the low barrier to exploitation once TX Host compromise occurs. Organizations should prioritize patching WF-500 instances that host MySQL connectors in production environments, particularly those managing critical infrastructure.

Risk score, explained

CVSS 3.1 score of 7.8 (HIGH) reflects a local attack vector (AV:L) with low attack complexity (AC:L) and low privilege requirement (PR:L). The impact is severe: high confidentiality, integrity, and availability loss on the RX Host. The scope is unchanged (S:U), meaning the vulnerability does not cross trust boundaries beyond the local RX Host. While the attack requires prior TX Host compromise, the post-compromise impact is significant enough to warrant a HIGH rating. The score does not account for the narrow trigger conditions (MySQL connector + compression enabled), which may justify risk adjustment in specific deployments.

Frequently asked questions

If we don't use MySQL connectors on our WF-500, are we affected?

No, the vulnerability requires MySQL connector functionality to be configured. If your deployment does not rely on MySQL replication, this particular vulnerability is not exploitable. However, verify your actual configuration against the WF-500 documentation, as defaults may vary.

Can this vulnerability be exploited remotely or over the network?

No. The attack vector is local (AV:L), meaning the attacker must have direct access to the TX Host or the network segment between TX and RX. Remote code execution on the WF-500 itself is not possible with this vulnerability alone.

What is Zip Slip and why is it a concern?

Zip Slip (CWE-23) is a class of vulnerability where a malicious archive (zip, tar, etc.) contains file paths with relative traversal sequences (../) that escape the intended extraction directory. On extraction, the attacker can overwrite system files or place executable code in sensitive locations. In Waterfall's case, this could lead to code execution on the RX Host.

Is there a temporary workaround if we cannot patch immediately?

Yes. Disable file compression on the MySQL connector if operationally feasible, or restrict TX Host access to a minimal set of trusted administrators and network interfaces. These mitigations reduce the attack surface while you prepare for patching. Verify these recommendations with Waterfall's support team for your specific deployment.

This analysis is based on public CVE data and Nozomi Networks Labs research as of the modification date (2026-06-17). Specific patch version numbers, affected build details, and vendor advisory links should be verified directly with Waterfall Security's official communications. Exploitation of this vulnerability requires TX Host access and specific configuration (MySQL connector + compression enabled); risk may differ materially from the published CVSS score depending on your deployment topology. This information is for security awareness and incident response planning only and does not constitute legal, compliance, or operational guidance. Organizations should conduct their own risk assessment and testing before applying patches or operational changes. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).