CVE-2025-41268
Relative Path Traversal in Waterfall WF-500 Hosts
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Nozomi Networks Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nozomi_networks | waterfall_wf-500 | 7.9.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-23 | The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can have a severe impact as it allows attackers to remotely delete any files on the affected host machines without authentication. This could lead to loss of critical data, disruption of services, and potential compromise of system integrity.
What immediate steps should I take to mitigate this vulnerability?
The recommended immediate step to mitigate this vulnerability is to update the Waterfall WF-500 TX and RX Hosts software to version v7.10.0.0 R2601141040.
Can you explain this vulnerability to me?
This vulnerability is a Relative Path Traversal issue (CWE-23) found in the Administration WebUI of Waterfall WF-500 TX and RX Hosts version 7.9.1.0. It allows remote unauthenticated attackers to delete arbitrary files on the host machines by exploiting the web interface.