Description
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host.
Published: 2026-05-29
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS Command Injection flaw in the Administration WebUI of the Waterfall WF-500 TX Host that allows an attacker with valid credentials to execute arbitrary operating‑system commands. This flaw can compromise confidentiality, integrity, and availability of the affected device, and could enable complete control of the host.

Affected Systems

The issue affects the Waterfall WF-500 TX Host running firmware version 7.9.1.0 R2502171040.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity and the lack of an EPSS score means the exact exploitation probability is unknown, but the vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote authenticated access to the web interface, suggesting attackers need valid administrative credentials to succeed.

Generated by OpenCVE AI on May 29, 2026 at 12:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WF-500 firmware to the latest version that addresses the command injection flaw.
  • If an upgrade cannot be applied immediately, limit access to the Administration WebUI to trusted administrators and isolate it on a separate network segment.
  • Implement strong authentication controls, such as multi‑factor authentication, to reduce the risk of an attacker gaining the necessary credentials needed to exploit the vulnerability.

Generated by OpenCVE AI on May 29, 2026 at 12:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Waterfall
Waterfall wf-500
Vendors & Products Waterfall
Waterfall wf-500

Fri, 29 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 13:15:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Waterfall WF‑500 Administration WebUI Enables Remote Execution

Fri, 29 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Administration WebUI in Waterfall WF-500 TX Host in version 7.9.1.0 R2502171040 that allows remote authenticated attackers to execute arbitrary operating system commands on the WF-500 TX Host.
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Waterfall Wf-500
cve-icon MITRE

Status: PUBLISHED

Assigner: Nozomi

Published:

Updated: 2026-05-29T14:33:46.968Z

Reserved: 2025-04-16T09:53:41.253Z

Link: CVE-2025-41266

cve-icon Vulnrichment

Updated: 2026-05-29T14:06:01.527Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T12:16:22.823

Modified: 2026-05-29T14:06:26.220

Link: CVE-2025-41266

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:07Z

Weaknesses