Description
Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to delete arbitrary files on the Host machines.
Published: 2026-05-29
Score: 8.8 High
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a relative path traversal flaw (CWE-23) in the Administration WebUI of Waterfall WF-500 TX and RX Hosts. An attacker who can reach the web interface without authentication can specify paths that escape the intended directory, allowing the deletion of arbitrary files on the host system. This can result in permanent data loss and potentially disrupt network monitoring operations.

Affected Systems

Waterfall:WF-500 TX and RX Hosts, specifically version 7.9.1.0 R2502171040. No other versions or firmware revisions were listed as affected.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity, and the EPSS score of 1% suggests a low but non-zero probability of exploitation. The attack can be launched remotely through the web UI and requires no authentication, making it globally exploitable. No current listing in CISA KEV indicates no known active exploits yet, but the potential for immediate destructive impact warrants urgent attention.

Generated by OpenCVE AI on May 29, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Waterfall WF-500 firmware to the latest release that addresses the relative path traversal flaw.
  • If a patch is unavailable, block external traffic to the Administration WebUI on port 443/80 using firewalls or network segmentation to prevent unauthenticated access.
  • Enable file integrity monitoring on critical system directories to detect and alert on unexpected file deletions, and apply stricter permissions to reduce the impact of potential path traversal.

Generated by OpenCVE AI on May 29, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Waterfall
Waterfall wf-500
Vendors & Products Waterfall
Waterfall wf-500

Fri, 29 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Relative Path Traversal Allowing Remote File Deletion in Waterfall WF-500 Administration WebUI

Fri, 29 May 2026 13:45:00 +0000

Type Values Removed Values Added
Title Relative Path Traversal Allowing Remote File Deletion in Waterfall WF-500 Administration WebUI

Fri, 29 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description Nozomi Networks Labs identified a CWE-23: Relative Path Traversal in the Administration WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to delete arbitrary files on the Host machines.
Weaknesses CWE-23
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Waterfall Wf-500
cve-icon MITRE

Status: PUBLISHED

Assigner: Nozomi

Published:

Updated: 2026-05-29T13:41:30.693Z

Reserved: 2025-04-16T09:53:41.253Z

Link: CVE-2025-41268

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T12:16:23.067

Modified: 2026-05-29T14:06:26.220

Link: CVE-2025-41268

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:47:04Z

Weaknesses