Description
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
sending malicious input injected into the server username field of the
import preconfiguration action in the API V1 route.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw allows an attacker who is authenticated to the XWEB Pro system to send malicious input into the server username field of the import preconfiguration API V1 route. The injected payload is executed by the underlying operating system, giving the attacker full remote code execution capabilities on the device. This can result in complete system compromise, data tampering, ransomware deployment, or other destructive activities on the network where the device operates.

Affected Systems

The vulnerability affects Copeland XWEB 300D PRO, Copeland XWEB 500B PRO and Copeland XWEB 500D PRO devices running firmware version 1.12.1 or earlier. Users should verify the installed model and firmware version against the listed vendors and ensure they are not using a vulnerable release.

Risk and Exploitability

A CVSS v3 score of 8 indicates high severity, while an EPSS score of less than 1% suggests a low current exploitation probability. The flaw is not listed in CISA’s KEV catalog. Exploitation requires authenticated access to the device’s API, so internal or privileged users can exploit it, highlighting the importance of strict access control. Nevertheless, once exploited, the attacker can run arbitrary commands with the privileges of the web server process, leading to full compromise.

Generated by OpenCVE AI on April 17, 2026 at 14:07 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Apply the latest firmware update for Copeland XWEB Pro devices (addressing OS command injection, CWE‑78) via the Copeland software update page or the SYSTEM – Updates | Network menu.
  • Restrict the import preconfiguration API to only trusted administrators by enforcing strong authentication and limiting API access.
  • If the import preconfiguration feature is not needed, disable or remove the API route, or implement strict input validation on the server username field to block malicious command strings (mitigating CWE‑78).

Generated by OpenCVE AI on April 17, 2026 at 14:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in the API V1 route.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-02T14:28:55.341Z

Reserved: 2026-02-05T16:47:16.546Z

Link: CVE-2026-23702

cve-icon Vulnrichment

Updated: 2026-03-02T14:28:51.900Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T02:16:18.700

Modified: 2026-02-27T23:08:42.743

Link: CVE-2026-23702

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses