Description
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
Published: 2026-05-29
Score: 9.3 Critical
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nozomi Networks Labs identified an OS Command Injection flaw in the Console WebUI of Waterfall WF‑500 devices. The vulnerability allows an attacker that can reach the web interface without authentication to supply arbitrary shell commands, which the device executes with system privileges. This flaw is classified as CWE‑78 and can be used to break confidentiality, integrity, and availability of the device and potentially the network it serves.

Affected Systems

The issue exists in Waterfall WF‑500 TX and RX hosts running firmware version 7.9.1.0 R2502171040. Both the TX and RX components expose the vulnerable console web interface.

Risk and Exploitability

The CVSS score of 9.3 indicates critical impact. The EPSS score is 1%, indicating a low but non‑zero likelihood of exploitation, and the flaw is not listed in CISA KEV. The lack of authentication requirements means that anyone with network access to the WebUI can exploit it, granting unrestricted control over the operating system on the affected device.

Generated by OpenCVE AI on May 29, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware patch from Nozomi Networks that addresses the command injection flaw in the WF‑500 console WebUI.
  • Restrict access to the Console WebUI to a trusted IP subnet or require VPN and firewall rules that block unauthenticated traffic.
  • If the console WebUI is not needed for day‑to‑day operations, disable the feature entirely or seal it behind an access‑control list to eliminate the vulnerable component.

Generated by OpenCVE AI on May 29, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Waterfall
Waterfall wf-500
Vendors & Products Waterfall
Waterfall wf-500

Fri, 29 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Remote OS Command Injection in Waterfall WF-500 Console WebUI

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 13:15:00 +0000

Type Values Removed Values Added
Title Remote OS Command Injection in Waterfall WF-500 Console WebUI

Fri, 29 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Waterfall Wf-500
cve-icon MITRE

Status: PUBLISHED

Assigner: Nozomi

Published:

Updated: 2026-05-29T13:37:55.353Z

Reserved: 2025-04-16T09:53:41.254Z

Link: CVE-2025-41274

cve-icon Vulnrichment

Updated: 2026-05-29T13:37:50.804Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T12:16:23.810

Modified: 2026-05-29T14:06:26.220

Link: CVE-2025-41274

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:46:55Z

Weaknesses