Description
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
supplying a crafted template file to the devices route.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw in XWEB Pro 1.12.1 and earlier lets a user with authenticated access to the device supply a specially crafted template file, causing the vendor’s route handler to execute arbitrary shell commands. The vulnerability enables remote code execution, giving the attacker full control over the affected system and any connected subsystems.

Affected Systems

The flaw affects Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO models running firmware versions up to but not including the latest released versions. All devices that are using the embedded firmware for these three hardware lines and have not applied the vendor‑provided updates are vulnerable.

Risk and Exploitability

With a CVSS score of 8.0 the technical severity is high, yet the EPSS indicates a very low probability of active exploitation (< 1 %). The vulnerability is not listed in the CISA KEV catalog, suggesting that known exploits are not currently widespread. Attackers must first authenticate to the system, then upload a malicious template, after which the operating system commands are executed, enabling full remote compromise. The relatively low EPSS score reflects that although the issue is severe, it requires both privileged execution and knowledge of the proprietary upload mechanism, limiting its immediate threat level.

Generated by OpenCVE AI on April 17, 2026 at 14:07 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Apply the latest firmware release for XWEB Pro via the Copeland software update portal or through the device’s NETWORK update menu to replace version 1.12.1 and earlier.
  • Restrict administrative access by enforcing strong, role‑based credentials and disabling or isolating remote administrative interfaces where possible.
  • Implement network segmentation or firewall rules to limit external reachability of the XWEB Pro devices until the patch is deployed, mitigating the impact of any potential exploitation.

Generated by OpenCVE AI on April 17, 2026 at 14:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted template file to the devices route.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-02T12:48:21.776Z

Reserved: 2026-02-05T16:47:16.539Z

Link: CVE-2026-24452

cve-icon Vulnrichment

Updated: 2026-03-02T12:48:14.675Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T02:16:18.897

Modified: 2026-02-27T23:08:17.530

Link: CVE-2026-24452

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses