OS Command Injection Vulnerability in Waterfall WF-500 RX Host by Nozomi Networks
CVE-2025-41281

7.5HIGH

Key Information:

Vendor: Waterfall
Status: Wf-500
Vendor: CVE Published:; 29 May 2026

What is CVE-2025-41281?

An OS command injection vulnerability exists in the Waterfall WF-500 RX Host, which is identified by improper neutralization of special elements. This flaw allows attackers with access to the TX Host to execute arbitrary code on the RX Host, particularly when a MySQL connector is in use. Exploiting this vulnerability could lead to unauthorized access and potential system compromise.

Affected Version(s)

WF-500 0 <= 7.9.1.0 R2502171040

References

https://www.nozominetworks.com/labs/vulnerability-advisor...

third-party-advisory

CVSS V4

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
Apr 16, 2025

Credit

Luca Borzacchiello at Nozomi Networks

CVE-2025-41281 Data

JSON