Description
An OS command injection

vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
configuring a maliciously crafted LCD state which is later processed
during system setup, enabling remote code execution.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection vulnerability exists in Copeland XWEB Pro firmware versions 1.12.1 and earlier. It allows an authenticated attacker to craft a malicious LCD state that, when processed during system setup, injects operating‑system commands, giving the attacker remote code execution on the device. The flaw is a classic command injection weakness (CWE‑78).

Affected Systems

Affected firmware is distributed to the Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO hardware lines. Users running firmware version 1.12.1 or earlier on any of these models are susceptible.

Risk and Exploitability

The CVSS score of 8 indicates high severity, and the EPSS score shows a very low current exploitation probability. The vulnerability has not been listed in CISA’s KEV catalog. Exploitation requires authentication and the ability to upload or configure LCD state data; once these prerequisites are met, an attacker can cause arbitrary command execution on the host operating system. The most likely attack vector involves an authenticated user with network access to the XWEB Pro, using the web interface to upload a malicious LCD configuration.

Generated by OpenCVE AI on April 16, 2026 at 15:38 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Install the latest XWEB Pro firmware from Copeland’s software update page or via the on‑device Network Updates option.
  • If an immediate firmware upgrade is not possible, disable internet connectivity for the XWEB Pro devices to prevent authenticated remote attacks from reaching the vulnerable interface.
  • Restrict LCD state configuration to trusted administrators and monitor configuration changes for suspicious entries.

Generated by OpenCVE AI on April 16, 2026 at 15:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 02 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by configuring a maliciously crafted LCD state which is later processed during system setup, enabling remote code execution.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-02T14:27:22.123Z

Reserved: 2026-02-05T16:47:16.585Z

Link: CVE-2026-25037

cve-icon Vulnrichment

Updated: 2026-03-02T14:27:19.231Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T02:16:19.603

Modified: 2026-02-27T23:07:40.717

Link: CVE-2026-25037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:45:16Z

Weaknesses