12 Critical and High-Severity CVEs Disclosed in Waterfall WF-500 Unidirectional Security Gateways
Nozomi Networks Labs disclosed 12 vulnerabilities in Waterfall WF-500 TX/RX Hosts, including four critical unauthenticated OS command injection flaws in the Console WebUI.
On May 29, 2026, Nozomi Networks Labs published a coordinated disclosure of 12 vulnerabilities affecting the Waterfall WF-500 TX and RX Host products — industrial-grade unidirectional security gateways used to protect critical infrastructure. The batch spans versions 7.9.1.0 R2502171040 and 7.10.0.0 R2601141040, with four CVEs carrying a Critical severity rating and the remaining eight rated High. The disclosure reveals a dangerous concentration of OS command injection bugs, path traversal flaws, and an out-of-bounds read, several of which can be triggered by unauthenticated remote attackers.
The most severe cluster involves four Critical-rated CVEs — CVE-2025-41275, CVE-2025-41274, CVE-2025-41270, and CVE-2025-41269 — all sharing the same root cause: a CWE-78 OS Command Injection vulnerability in the Console WebUI of both WF-500 TX and RX Hosts running version 7.9.1.0 R2502171040. According to Nozomi's descriptions, these flaws allow remote unauthenticated attackers to execute arbitrary operating system commands on the device. The presence of multiple distinct CVEs for what appears to be the same component suggests separate injection points or code paths within the Console WebUI were identified and individually tracked.
Three additional High-severity OS command injection vulnerabilities were found in the Administration WebUI of the WF-500 TX Host: CVE-2025-41265, CVE-2025-41266, and CVE-2025-41267. These require remote authenticated access but still permit arbitrary OS command execution on the WF-500 TX Host. The Administration WebUI on the RX Host is also affected — CVE-2025-41279 is a High-severity OS command injection in the RX Host's Administration WebUI, also requiring authentication.
Two High-severity vulnerabilities stand out for their attack chain potential. CVE-2025-41281 is an OS command injection (CWE-78) in the RX Host that can be exploited by attackers who already have access to the TX Host — but only when a MySQL connector is configured. CVE-2025-41280 is a Relative Path Traversal (Zip Slip) vulnerability (CWE-23) in the RX Host under the same preconditions (TX Host access + MySQL connector + file compression enabled). Together, these two CVEs describe a lateral movement scenario: an attacker who compromises the TX side can pivot to the RX side through the MySQL connector pathway.
CVE-2025-41271 is a High-severity Relative Path Traversal (CWE-23) in the Console WebUI affecting both TX and RX Hosts. Critically, this flaw requires no authentication, allowing remote unauthenticated attackers to read arbitrary files from the device. This could be used to harvest credentials, configuration data, or cryptographic material to deepen an attack. CVE-2025-41278 is an Out-of-bounds Read (CWE-125) affecting the RX Host in version 7.10.0.0 R2601141040 — a different version than the bulk of the batch. It allows attackers with TX Host access to execute code on the RX Host, adding a memory-safety vector to the cross-host attack surface.
Waterfall has not yet released a consolidated patch advisory covering all 12 CVEs as of the disclosure date. Users of the WF-500 TX and RX Hosts running versions 7.9.1.0 R2502171040 and 7.10.0.0 R2601141040 should immediately restrict network access to the Console WebUI and Administration WebUI interfaces, ensuring they are not exposed to untrusted networks. Disabling the MySQL connector and file compression features where not operationally required can mitigate the cross-host attack chain described by CVE-2025-41281 and CVE-2025-41280. Organizations should monitor Waterfall's security advisory channel for patched firmware releases.
The Waterfall WF-500 is deployed in industrial control system (ICS) and critical infrastructure environments where unidirectional gateways enforce strict data diode policies. A compromise of these devices could allow an attacker to bypass the very isolation the gateway is designed to provide. The concentration of unauthenticated command injection bugs — four Critical CVEs in the Console WebUI alone — means that any exposure of the management interface to a network represents a complete device takeover risk. Nozomi Networks Labs, an OT security firm, identified these flaws, underscoring the growing scrutiny of data diode and unidirectional gateway products by the industrial cybersecurity community.