Impact
The vulnerability is an OS command injection flaw located in the firmware update endpoint of Copeland XWEB Pro devices. An attacker who can authenticate with valid credentials can send crafted input that the firmware executes as a system command, allowing arbitrary code execution on the device. This leads to compromise of confidentiality, integrity, and availability of the device and any connected networks.
Affected Systems
The flaw impacts Copeland XWEB 300D Pro, XWEB 500B Pro, and XWEB 500D Pro models running firmware version 1.12.1 or earlier. Devices bearing these models are affected.
Risk and Exploitability
The CVSS score of 8.0 categorizes the vulnerability as high severity, while the EPSS score of 0.01589 (≈1.6%) suggests a low chance of exploitation in the wild. The flaw requires authenticated access to the firmware update interface, so only users with valid credentials can potentially exploit it. The vulnerability is not listed in the CISA KEV catalog, which reduces the likelihood of widespread exploitation. Nevertheless, any successful exploitation would immediately allow an attacker to execute arbitrary operating-system commands on the device.
OpenCVE Enrichment