Description
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
Published: 2026-05-29
Score: 9.3 Critical
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nozomi Networks Labs identified an OS Command Injection flaw in the Console WebUI of Waterfall WF‑500 TX and RX Hosts running firmware version 7.9.1.0 R2502171040. This flaw, classified as CWE‑78, permits remote attackers who do not need to authenticate to send specially crafted requests that inject operating system commands into the server’s execution context. If an attacker succeeds, they can run arbitrary commands on the device, potentially exposing sensitive data, modifying system configuration, or disrupting normal operation.

Affected Systems

The vulnerability affects Waterfall Communications Systems’ WF‑500 TX and RX hosts running firmware 7.9.1.0 R2502171040. No other firmware revisions or product lines are reported as vulnerable in the current advisory.

Risk and Exploitability

The CVSS score of 9.3 categorizes this issue as Critical. Because the attack vector is remote and authentication is not required, the risk of exploitation is high. The EPSS score of 1% indicates a low but nonzero likelihood of exploitation, and the vulnerability is not listed in CISA’s KEV catalog; however, the combination of a high severity metric and the absence of defensive controls in the WebUI indicates that exploitation is plausible. Based on the description, it is inferred that an attacker would send a crafted HTTP request to the Console WebUI to trigger the injection; if processed, the injected command is executed in the device’s operating system.

Generated by OpenCVE AI on May 29, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the device firmware to the latest release that contains a fix for the OS Command Injection vulnerability.
  • Limit external access to the Console WebUI by implementing firewall rules or VPN so that only trusted administrators can reach it.
  • Enforce strong authentication mechanisms for all WebUI access, including multi‑factor authentication if possible.

Generated by OpenCVE AI on May 29, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Waterfall
Waterfall wf-500
Vendors & Products Waterfall
Waterfall wf-500

Fri, 29 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Remote OS Command Injection in Waterfall WF-500 Console WebUI

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Waterfall Wf-500
cve-icon MITRE

Status: PUBLISHED

Assigner: Nozomi

Published:

Updated: 2026-05-29T13:40:36.071Z

Reserved: 2025-04-16T09:53:43.283Z

Link: CVE-2025-41275

cve-icon Vulnrichment

Updated: 2026-05-29T13:40:32.194Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T12:16:23.930

Modified: 2026-05-29T14:06:26.220

Link: CVE-2025-41275

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:46:54Z

Weaknesses