Description
An OS command injection


vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into requests sent to the firmware update
route.
Published: 2026-02-27
Score: 8 High
EPSS: 1.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an OS command injection flaw located in the firmware update endpoint of Copeland XWEB Pro devices. An attacker who can authenticate with valid credentials can send crafted input that the firmware executes as a system command, allowing arbitrary code execution on the device. This leads to compromise of confidentiality, integrity, and availability of the device and any connected networks.

Affected Systems

The flaw impacts Copeland XWEB 300D Pro, XWEB 500B Pro, and XWEB 500D Pro models running firmware version 1.12.1 or earlier. Devices bearing these models are affected.

Risk and Exploitability

The CVSS score of 8.0 categorizes the vulnerability as high severity, while the EPSS score of 0.01589 (≈1.6%) suggests a low chance of exploitation in the wild. The flaw requires authenticated access to the firmware update interface, so only users with valid credentials can potentially exploit it. The vulnerability is not listed in the CISA KEV catalog, which reduces the likelihood of widespread exploitation. Nevertheless, any successful exploitation would immediately allow an attacker to execute arbitrary operating-system commands on the device.

Generated by OpenCVE AI on June 18, 2026 at 13:36 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.


OpenCVE Recommended Actions

  • Download and install the latest firmware for each affected XWEB Pro device from Copeland’s software update portal at https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate.
  • If the device can reach Copeland's servers, use the SYSTEM > Updates -> Network menu on the device to perform an in-device firmware update.
  • Back up the device configuration prior to applying any firmware update to preserve settings.

Generated by OpenCVE AI on June 18, 2026 at 13:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Mon, 02 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the firmware update route.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-02T14:30:55.109Z

Reserved: 2026-02-05T16:55:52.370Z

Link: CVE-2026-24517

cve-icon Vulnrichment

Updated: 2026-03-02T14:30:21.719Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T01:16:18.597

Modified: 2026-06-17T10:23:10.930

Link: CVE-2026-24517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:45:05Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')