CVE-2025-41280 PUBLISHED

Assigner: Nozomi
Reserved: 16.04.2025 Published: 29.05.2026 Updated: 29.05.2026

Nozomi Networks Labs identified a CWE-23: Relative Path Traversal (Zip Slip) in Waterfall WF-500 RX Host in version 7.9.1.0 R2502171040 that allows attackers with access to the TX Host to execute code on the RX Host when a MySQL connector is configured and file compression is enabled.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 7.5

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Local	Confidentiality	High	Confidentiality	None
Attack Complexity	Low	Integrity	High	Integrity	None
Attack Requirements	Present	Availability	High	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	Waterfall
Product	WF-500
Versions	Default: unaffected affected from 0 to 7.9.1.0 R2502171040 (incl.)

Credits

Luca Borzacchiello at Nozomi Networks finder

References

https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-41280

Problem Types

CWE-23 Relative Path Traversal CWE

Impacts

CAPEC-126 Path Traversal