Description
An OS command injection

vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the devices field of the firmware update
apply action.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection vulnerability exists in Copeland XWEB Pro firmware up to and including version 1.12.1. The flaw allows an attacker who is authenticated to the device to inject arbitrary operating‑system commands through the devices field of the firmware update apply action, leading to remote code execution on the host. This weakness is classified as a CWE‑78 path‑leading command injection and could compromise confidentiality, integrity, and availability of the system if exploited.

Affected Systems

Affected products include Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO. All firmware revisions up to and including 1.12.1 are vulnerable; newer releases are not explicitly listed as affected.

Risk and Exploitability

The CVSS score of 8.0 indicates a high severity vulnerability, while the EPSS score is below 1 %, suggesting a low likelihood of widespread exploitation. The vulnerability is not in CISA’s KEV catalog. Exploitation requires valid credentials and access to the firmware update interface, implying an authenticated remote attack vector. Once the command injection is triggered, the attacker can execute arbitrary commands with the privileges of the device, potentially taking full control of the XWEB Pro system.

Generated by OpenCVE AI on April 16, 2026 at 15:42 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Download and apply the latest XWEB Pro firmware update from Copeland’s software update page or via the SYSTEM ► Updates ► Network menu.
  • After updating, use only strong, unique passwords (and enable MFA if supported) for the device’s administrative accounts to prevent unauthorized use of the firmware update interface.
  • Restrict network traffic to the firmware update port by configuring firewall rules that permit only trusted management IP addresses.

Generated by OpenCVE AI on April 16, 2026 at 15:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Tue, 03 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update apply action.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-03T01:26:47.111Z

Reserved: 2026-02-05T16:55:52.404Z

Link: CVE-2026-24689

cve-icon Vulnrichment

Updated: 2026-03-03T01:26:42.937Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T01:16:18.983

Modified: 2026-03-09T19:57:24.220

Link: CVE-2026-24689

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:45:16Z

Weaknesses