CVE-2026-20910 - Vulnerability Details

- Copeland XWEB and XWEB Pro OS Command Injection

Description

An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the devices field of the firmware update
update action to achieve remote code execution.

Published: 2026-02-27

Score: 8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An OS command injection flaw exists in the firmware update mechanism of Copeland XWEB Pro devices, specifically for versions 1.12.1 and earlier. The defect allows an attacker who can authenticate to the device to inject malicious shell commands through the devices field during a firmware update request. Successful exploitation grants the attacker remote code execution privileges on the affected system, enabling full control over the device and potential propagation to other network resources.

Affected Systems

The vulnerability impacts Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO models. All listed devices running firmware versions 1.12.1 or older are affected. The vulnerability is tied to the firmware update feature provided in the device’s management interface.

Risk and Exploitability

The CVSS score of 8.0 highlights significant severity, but the EPSS score of less than 1% indicates that the likelihood of exploitation is low under current conditions. The vulnerability is not catalogued in CISA’s KEV list, which further suggests limited observed exploitation. Attackers would need valid credentials and likely physical or network access to the device’s configuration interface to trigger the injection. The absence of a public exploit does not diminish the importance of remediation, given the remote code execution potential.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Copeland

Copeland XWEB 300D PRO

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.12.1

Copeland

Copeland XWEB 500D PRO

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.12.1

Copeland

Copeland XWEB 500B PRO

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.12.1

Configuration 1 [-]

AND

cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Copeland

Copeland Xweb 300d Pro

100%

Version	Status	Scheme	Platform
`[0,1.12.1]`	affected	generic	—

Copeland

Copeland Xweb 500b Pro

100%

Version	Status	Scheme	Platform
`[0,1.12.1]`	affected	generic	—

Copeland

Copeland Xweb 500d Pro

100%

Version	Status	Scheme	Platform
`[0,1.12.1]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

Update Copeland XWEB Pro firmware to the latest released version using the official software update page or through the device’s SYSTEM – Updates | Network menu.
Reboot the updated device to ensure the new firmware is fully initialized.
Restrict network access to the firmware update functionality or segment the device from untrusted networks to reduce the attack surface.

Generated by OpenCVE AI on April 16, 2026 at 15:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00245.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json
https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10

History

Tue, 03 Mar 2026 06:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 27 Feb 2026 23:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Copeland xweb 300d Pro Copeland xweb 300d Pro Firmware Copeland xweb 500b Pro Copeland xweb 500b Pro Firmware Copeland xweb 500d Pro Copeland xweb 500d Pro Firmware
CPEs		cpe:2.3:h:copeland:xweb_300d_pro:-:::::::* cpe:2.3:h:copeland:xweb_500b_pro:-:::::::* cpe:2.3:h:copeland:xweb_500d_pro:-:::::::* cpe:2.3:o:copeland:xweb_300d_pro_firmware:::::::: cpe:2.3:o:copeland:xweb_500b_pro_firmware:::::::: cpe:2.3:o:copeland:xweb_500d_pro_firmware::::::::
Vendors & Products		Copeland xweb 300d Pro Copeland xweb 300d Pro Firmware Copeland xweb 500b Pro Copeland xweb 500b Pro Firmware Copeland xweb 500d Pro Copeland xweb 500d Pro Firmware

Fri, 27 Feb 2026 09:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Copeland Copeland copeland Xweb 300d Pro Copeland copeland Xweb 500b Pro Copeland copeland Xweb 500d Pro
Vendors & Products		Copeland Copeland copeland Xweb 300d Pro Copeland copeland Xweb 500b Pro Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:00:00 +0000

Type	Values Removed	Values Added
Description		An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update update action to achieve remote code execution.
Title		Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses		CWE-78
References		https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10
Metrics		cvssV3_1 `{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2026-02-27T00:46:14.644Z

Updated: 2026-03-03T01:27:24.182Z

Reserved: 2026-02-05T16:55:52.391Z

Link: CVE-2026-20910

Vulnrichment

Updated: 2026-03-03T01:27:20.365Z

NVD

Status : Analyzed

Published: 2026-02-27T01:16:17.707

Modified: 2026-02-27T23:12:37.947

Link: CVE-2026-20910

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T15:45:16Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object