Description
An OS command injection vulnerability exists in XWEB Pro version 1.12.1
and prior, enabling an unauthenticated attacker to achieve remote code
execution on the system by sending a crafted request to the libraries
installation route and injecting malicious input into the request body.
Published: 2026-02-27
Score: 9 Critical
EPSS: 1.2% Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw exists in Copeland XWEB Pro firmware versions 1.12.1 and earlier, allowing an unauthenticated attacker to execute arbitrary commands on the device by sending a crafted request to the libraries installation route. The vulnerability is a classic command injection, classified as CWE‑78, and would give the attacker full control over the operating system of the affected control device.

Affected Systems

The flaw affects Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO models. Firmware versions 1.12.1 and earlier are impacted; newer releases have received a fix from Copeland, as indicated by the vendor’s update page.

Risk and Exploitability

The CVSS score of 9.0 reflects high severity. The EPSS score of 1% indicates a low but non‑zero probability of exploitation. Since the vulnerability is exploitable from anywhere on the network and requires no authentication, the attack vector is likely remote. The flaw is not listed in CISA’s KEV catalog, but given its high CVSS and the nature of the issue, a timely patch is strongly recommended.

Generated by OpenCVE AI on April 18, 2026 at 10:19 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Apply the latest firmware update for each affected XWEB Pro model by retrieving the package from Copeland’s software update page or initiating a network‑directed update via the device’s SYSTEM – Updates | Network menu.
  • Restrict external access to the libraries installation route, for example by configuring firewall rules or network segmentation so that only trusted internal IP ranges can reach the device.
  • If the installation feature is not required for operational purposes, disable or lock it down and enforce authentication so that only authorized users can trigger it.

Generated by OpenCVE AI on April 18, 2026 at 10:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Mon, 02 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on the system by sending a crafted request to the libraries installation route and injecting malicious input into the request body.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-02T18:53:35.434Z

Reserved: 2026-02-05T16:55:52.321Z

Link: CVE-2026-24663

cve-icon Vulnrichment

Updated: 2026-03-02T18:53:31.773Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T01:16:18.790

Modified: 2026-03-09T19:58:18.290

Link: CVE-2026-24663

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:30:35Z

Weaknesses