OS Command Injection Vulnerability in Waterfall WF-500 TX Host by Nozomi Networks
CVE-2025-41267

8.5HIGH

Key Information:

Vendor: Waterfall
Status: Wf-500
Vendor: CVE Published:; 29 May 2026

What is CVE-2025-41267?

A vulnerability has been identified in the Administration WebUI of the Waterfall WF-500 TX Host that permits remote authenticated attackers to inject and execute arbitrary operating system commands. This flaw arises from improper neutralization of special elements, specifically categorized under CWE-78, allowing attackers to exploit the system's command execution capabilities, potentially compromising the overall security of the host system.

Affected Version(s)

WF-500 0 <= 7.9.1.0 R2502171040

References

https://www.nozominetworks.com/labs/vulnerability-advisor...

third-party-advisory

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
Apr 16, 2025

Credit

Luca Borzacchiello at Nozomi Networks

CVE-2025-41267 Data

JSON