Description
Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
Published: 2026-05-29
Score: 9.3 Critical
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Nozomi Networks Labs exposed an OS Command Injection flaw in the Console WebUI of Waterfall WF‑500 devices. The flaw, identified as CWE‑78, allows a remote unauthenticated attacker to inject and execute arbitrary operating‑system commands on the target device. Successful exploitation gives the attacker the ability to run any OS command on the device, thereby providing full control over its operating environment.

Affected Systems

The vulnerability affects Waterfall WF‑500 TX and RX hosts running firmware version 7.9.1.0 R2502171040. Devices with this specific build are therefore in the impact set.

Risk and Exploitability

The CVSS score of 9.3 signals a critical severity. The EPSS score of 1% indicates a low probability of exploitation, but the high score coupled with a remote unauthenticated vector indicates a significant risk of exploitation, especially for devices exposed to the internet or untrusted networks. The flaw is not listed in the CISA KEV catalog, but the lack of an authentication requirement means attackers can launch attacks simply by sending crafted requests to the WebUI endpoint.

Generated by OpenCVE AI on May 29, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Waterfall WF‑500 device to the latest firmware released after R2502171040 to eliminate the vulnerability.
  • Restrict inbound access to the Console WebUI by configuring firewall rules that permit traffic only from trusted IP addresses or VPN tunnels.
  • If available, enable authentication and role‑based access controls on the WebUI to prevent unauthenticated use.

Generated by OpenCVE AI on May 29, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Waterfall
Waterfall wf-500
Vendors & Products Waterfall
Waterfall wf-500

Fri, 29 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Waterfall WF‑500 Console WebUI

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 29 May 2026 13:15:00 +0000

Type Values Removed Values Added
Title OS Command Injection in Waterfall WF‑500 Console WebUI

Fri, 29 May 2026 11:45:00 +0000

Type Values Removed Values Added
Description Nozomi Networks Labs identified a CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the Console WebUI in Waterfall WF-500 TX and RX Hosts in version 7.9.1.0 R2502171040 that allows remote unauthenticated attackers to execute arbitrary operating system commands on the device.
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Waterfall Wf-500
cve-icon MITRE

Status: PUBLISHED

Assigner: Nozomi

Published:

Updated: 2026-05-29T13:40:10.225Z

Reserved: 2025-04-16T09:53:43.283Z

Link: CVE-2025-41276

cve-icon Vulnrichment

Updated: 2026-05-29T13:40:05.163Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-29T12:16:24.050

Modified: 2026-05-29T14:06:26.220

Link: CVE-2025-41276

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:46:52Z

Weaknesses