CVE-2025-41281: Waterfall WF-500 OS Command Injection
Nozomi Networks Labs discovered a code execution vulnerability in Waterfall's WF-500 RX Host that allows attackers already inside a network to run arbitrary commands. The vulnerability is triggered when a MySQL connector is configured and an attacker with access to the connected TX Host sends malicious input. This is a local privilege escalation scenario where internal network access is the prerequisite for exploitation.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2025-41281 is an OS command injection vulnerability (CWE-78) affecting Waterfall WF-500 RX Host version 7.9.1.0 R2502171040. The vulnerability exists in the handling of MySQL connector parameters, where user-supplied input is not properly neutralized before being passed to OS command execution functions. An authenticated attacker with TX Host access can inject shell metacharacters to execute arbitrary commands on the RX Host with the privileges of the application process. The CVSS 3.1 score of 7.8 (HIGH) reflects local attack vector, low attack complexity, low privilege requirements, and full impact across confidentiality, integrity, and availability.
Business impact
For organizations operating Waterfall WF-500 appliances in industrial control or critical infrastructure environments, successful exploitation could result in lateral movement to downstream systems, data exfiltration from database connections, or disruption of monitoring and safety functions. Since WF-500 is typically deployed at network trust boundaries, compromise of the RX Host could undermine the entire segmentation strategy and expose downstream OT/IT assets.
Affected systems
Waterfall WF-500 RX Host running version 7.9.1.0 R2502171040 is confirmed affected. Organizations should verify their firmware versions immediately, as earlier and later versions may also be vulnerable depending on patch status. Waterfall Security should be consulted for a definitive version scope.
Exploitability
The vulnerability requires local network access to the TX Host and authenticated credentials or session access—it is not remotely exploitable from the internet. However, within a compromised network segment or for insider threats, exploitation is straightforward once TX Host access is obtained. The low attack complexity and lack of user interaction requirements mean that once network access is achieved, an attacker can reliably execute code. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog, but the attack vector and simplicity suggest it could be prioritized by threat actors targeting industrial networks.
Remediation
Contact Waterfall Security immediately for patched firmware versions addressing CVE-2025-41281. In the interim, restrict network access to the TX Host and disable MySQL connectors if not actively required. Review access controls to ensure only authorized administrators can reach TX Host management interfaces. Consider network segmentation to limit lateral movement potential from a compromised TX Host.
Patch guidance
Obtain the latest firmware build from Waterfall Security that addresses this vulnerability. Verify the specific version number in their advisory before deployment. Schedule maintenance windows to apply the patch, as firmware updates typically require appliance restart. Test the patched version in a non-production environment first to confirm MySQL connector functionality and operational compatibility. Document the patch date and version for compliance and audit records.
Detection guidance
Monitor TX Host access logs for unusual authentication patterns or administrative activities. Inspect system logs on RX Host for unexpected process execution, particularly shell commands spawned from database connector processes. Look for command injection patterns in TX Host application logs—attempts to insert shell metacharacters (backticks, $(), |, &&, semicolons) into MySQL connector configuration parameters. Network-based detection should flag abnormal communication patterns between TX and RX Hosts outside normal operational baselines.
Why prioritize this
Although not in CISA's KEV catalog, this vulnerability scores HIGH (7.8) due to full CIA impact in a trusted appliance. The industrial control network context amplifies risk: WF-500 is a network security appliance, so its compromise directly undermines downstream asset protection. The local-only attack vector reduces external threat likelihood, but insider threats and supply chain compromise are plausible in OT environments. Organizations with WF-500 deployments protecting critical infrastructure should treat this as urgent.
Risk score, explained
The CVSS 3.1 score of 7.8 (HIGH) reflects: Local Attack Vector (network access required); Low Attack Complexity (no special conditions); Low Privilege Requirements (standard user permissions sufficient); No User Interaction; and Unchanged Scope with High confidentiality, integrity, and availability impact. The score appropriately captures the severity of arbitrary code execution within the appliance, though the local-only attack vector prevents a critical rating. Context—network appliance in critical infrastructure—elevates business risk above the base CVSS score.
Frequently asked questions
Is my WF-500 vulnerable if I don't use MySQL connectors?
If MySQL connectors are not configured, the attack pathway is not available. However, verify your configuration explicitly; some deployments may have connectors enabled by default. Waterfall Security advisory should clarify scope.
Can this vulnerability be exploited from the internet?
No. The attack vector is local (AV:L), requiring prior compromise of or authorized access to the TX Host. It is not a remote code execution vulnerability.
What should I do if I cannot patch immediately?
Implement strict network access controls limiting who can reach the TX Host; disable MySQL connectors if operationally feasible; enable enhanced logging on both TX and RX Hosts; and monitor for exploitation signs. Isolate the WF-500 from the internet and non-critical network segments.
Is there a workaround instead of patching?
A technical workaround may exist—consult Waterfall Security advisory directly. Disabling MySQL connectors is a functional mitigation if they are not business-critical, but patching is the recommended remediation.
This analysis is based on the CVE record and Nozomi Networks Labs disclosure as of June 2026. Specific patch version numbers and detailed remediation steps must be verified against the official Waterfall Security advisory. No exploit code or weaponized proof-of-concept is provided. Organizations should conduct testing in non-production environments before deploying patches. This analysis is provided for informational and defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability
- CVE-2026-10273HIGHRemote Code Execution in php-censor Webhook Handler