Description
An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1
and prior, enabling unauthenticated attackers to read arbitrary files on
the system, and potentially causing a denial-of-service attack.
Published: 2026-02-27
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized File Read and Potential Denial of Service
Action: Patch
AI Analysis

Impact

An arbitrary file‑read vulnerability exists in Copeland XWEB Pro firmware versions 1.12.1 and earlier, enabling attackers that do not need any credentials to read any file on the device. The flaw can also trigger a denial‑of‑service condition by exhausting available file descriptors or corrupting critical configuration files. The weakness is a classic path‑traversal issue, identified as CWE‑22.

Affected Systems

The vulnerability affects Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO models running firmware 1.12.1 or earlier. These industrial devices are typically deployed in control panels and network interface units within manufacturing or infrastructure environments.

Risk and Exploitability

The CVSS score of 3.7 indicates moderate severity, while an EPSS score of less than 1% suggests a very low current exploit likelihood. The vulnerability is not listed in CISA’s KEV catalog, indicating no known widespread exploitation. Based on the description, attackers can exploit the flaw remotely through the web interface without authentication. Because the impact is read‑only, the primary threat is information disclosure and possible service disruption; full system compromise would require additional weaknesses not described here.

Generated by OpenCVE AI on April 18, 2026 at 10:19 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Update all affected XWEB Pro devices to the latest firmware using Copeland’s software update page or the built‑in Network update menu.
  • Disallow unauthenticated remote access to the XWEB Pro web interface until the patch is applied to reduce the attack surface.
  • Limit network access to the XWEB Pro web UI by restricting it to trusted IP ranges or requiring VPN connectivity to minimize exposure.

Generated by OpenCVE AI on April 18, 2026 at 10:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to read arbitrary files on the system, and potentially causing a denial-of-service attack.
Title Copeland XWEB and XWEB Pro Path Traversal
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-02T14:26:42.805Z

Reserved: 2026-02-05T16:47:16.591Z

Link: CVE-2026-22877

cve-icon Vulnrichment

Updated: 2026-03-02T14:26:39.799Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T02:16:18.507

Modified: 2026-02-27T23:09:41.677

Link: CVE-2026-22877

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses