Description
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the devices field of the firmware update action to achieve remote code execution.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection vulnerability exists in Copeland XWEB Pro firmware version 1.12.1 and prior, allowing an authenticated attacker to inject malicious shell commands via the devices field in the firmware update action. Successful exploitation grants remote code execution on the affected device, providing full control over the system and potential spread to other network resources.

Affected Systems

The vulnerability impacts Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO models. All listed devices running firmware versions 1.12.1 or older are affected. The vulnerability is tied to the firmware update feature provided in the device’s management interface.

Risk and Exploitability

The CVSS score of 8.0 highlights significant severity, but the EPSS score of less than 1% indicates that the likelihood of exploitation is low under current conditions. The vulnerability is not catalogued in CISA’s KEV list, which further suggests limited observed exploitation. Attackers would need valid credentials and likely physical or network access to the device’s configuration interface to trigger the injection. The absence of a public exploit does not diminish the importance of remediation, given the remote code execution potential.

Generated by OpenCVE AI on June 4, 2026 at 22:25 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Update Copeland XWEB Pro firmware to the latest released version using the official software update page or through the device’s SYSTEM – Updates | Network menu.
  • Reboot the updated device to ensure the new firmware is fully initialized.
  • Restrict network access to the firmware update functionality or segment the device from untrusted networks to reduce the attack surface.

Generated by OpenCVE AI on June 4, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update update action to achieve remote code execution. An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code execution.

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update update action to achieve remote code execution.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-04T21:23:35.378Z

Reserved: 2026-02-05T16:55:52.391Z

Link: CVE-2026-20910

cve-icon Vulnrichment

Updated: 2026-03-03T01:27:20.365Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T01:16:17.707

Modified: 2026-06-04T22:16:52.453

Link: CVE-2026-20910

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T22:30:25Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')