Description
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
providing malicious input via the device hostname configuration which
is later processed during system setup, resulting in remote code
execution.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw exists in Copeland XWEB Pro firmware versions 1.12.1 and earlier. By supplying malicious input in the device hostname field, an attacker who has authenticated to the system can cause the host configuration script to execute arbitrary shell commands, giving the attacker remote code execution capabilities. This is a classic privilege‑escalating flaw corresponding to CWE‑78.

Affected Systems

The flaw affects Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO devices running firmware versions up to and including 1.12.1. No versions newer than 1.12.1 are listed as affected. The vulnerability is limited to these specific products and their build releases.

Risk and Exploitability

The CVSS score is 8.0, indicating high severity. The EPSS score is below 1%, which reflects a low but non‑zero probability of exploitation in the wild, and the vulnerability is not currently indexed in the CISA Known Exploited Vulnerabilities catalog. Attackers would need to authenticate to the device, which typically requires administrative credentials, and then submit a crafted hostname value. Once the device processes the hostname during setup, it runs the supplied value as an OS command, resulting in full remote compromise. Given the high impact and the need for prior authentication, the risk to unprotected devices remains significant until the firmware fix is applied.

Generated by OpenCVE AI on April 16, 2026 at 15:39 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Apply the latest XWEB Pro firmware update from Copeland's software update page or via the System → Updates menu on the device.
  • Block external access to the device's management interface, for example by limiting it with firewall rules or by placing the device in a restricted VLAN.
  • Sanitize hostname input so that only alphanumeric characters are allowed, or otherwise remove the ability to set custom hostnames until the patch can be applied.

Generated by OpenCVE AI on April 16, 2026 at 15:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by providing malicious input via the device hostname configuration which is later processed during system setup, resulting in remote code execution.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-02T14:28:10.662Z

Reserved: 2026-02-05T16:47:16.562Z

Link: CVE-2026-20764

cve-icon Vulnrichment

Updated: 2026-03-02T14:28:06.542Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T02:16:18.140

Modified: 2026-02-27T23:11:05.393

Link: CVE-2026-20764

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:45:16Z

Weaknesses