Waterfall WF-500, Relative Path Traversal, CVE-2025-41271 (Critical) -DC-Jun2026-78

Listen to this Post

Intro

CVE-2025-41271 is a critical vulnerability identified by Nozomi Networks Labs in Waterfall WF-500 TX and RX Hosts running firmware version 7.9.1.0 R2502171040. The flaw resides in the Console WebUI component and is classified as CWE-23: Relative Path Traversal. An unauthenticated, remote attacker can leverage this path traversal weakness to read arbitrary files from the device’s filesystem without any prior access or credentials. The issue stems from improper sanitization of user-supplied input that influences filesystem operations. By crafting malicious HTTP requests with directory traversal sequences (e.g., ../../), an attacker can break out of the intended web root and access sensitive operating system files. Because the vulnerable web endpoint does not validate file paths, it blindly concatenates the user input with a base directory, enabling the attacker to read configuration files, system logs, authentication material, and potentially proprietary software artifacts. The attack is network-based (AV:N), requires low complexity (AC:L), and demands no privileges or user interaction (PR:N, UI:N), leading to a CVSS v3.1 base score of 7.5 (High) and a CVSS v4.0 score of 8.7 (High). This vulnerability poses a severe risk to industrial control system (ICS) environments where Waterfall WF-500 devices are deployed as unidirectional security gateways, potentially allowing an adversary to exfiltrate operational data and pivot to internal networks.

DailyCVE Form:

Platform: Waterfall WF-500
Version: 7.9.1.0 R2502171040
Vulnerability : Relative Path Traversal
Severity: Critical (CVSS 8.7)
date: 2026-05-29

Prediction: Patch expected Q3 2026

Analytics: What Undercode Say

The following `curl` command demonstrates how an attacker could exploit the path traversal to read the device’s `/etc/passwd` file:

curl -v --path-as-is 'https://<target-ip>:<port>/console/../../../../etc/passwd'

A `nmap` script could be used to probe for the vulnerability:

http-vuln-cve2025-41271.nse

Exploit

An unauthenticated attacker sends a GET request to the vulnerable Console WebUI endpoint with directory traversal payloads in the filename parameter. The server fails to sanitize the `../` sequences, allowing retrieval of arbitrary files.

Protection

Apply vendor-supplied firmware patches immediately upon release. If patching is not possible, restrict access to the Console WebUI using network segmentation or firewall rules to allow only trusted IP addresses.

Impact

Successful exploitation leads to unauthorized information disclosure, exposing sensitive configuration data, logs, and credentials. This could facilitate further attacks, compromise ICS integrity, and violate data protection regulations.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Previous

Waterfall WF-500 TX Host, OS Command Injection, CVE-2025-41267 (Critical) -DC-Jun2026-77

Scroll to Top