Description
An OS command injection


vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the devices field when accessing the get
setup route.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An OS command injection flaw exists in Copeland XWEB Pro firmware versions 1.12.1 and earlier. An authenticated attacker can inject malicious input into the devices field when accessing the get setup route, resulting in remote code execution on the device. The vulnerability is identified as CWE‑78, a command injection weakness, and if exploited it can give the attacker full control over the operating system.

Affected Systems

The affected products are Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO. The flaw exists in firmware versions 1.12.1 and earlier for each of these models. Users running those firmware releases should verify the exact build number of their device firmware and ensure it matches an unpatched version.

Risk and Exploitability

The CVSS score of 8.0 categorizes this vulnerability as high, while the EPSS score of less than 1% indicates a very low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. An attacker must first authenticate to the device through valid credentials, implying that compromise would most likely occur from an internal or compromised network environment. Once authenticated, the attacker can construct a malicious request to the get setup route, inject commands, and achieve execution with system privilege, potentially gaining full control over the device.

Generated by OpenCVE AI on June 4, 2026 at 22:24 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Apply the Copeland firmware update to a version newer than 1.12.1 using the software update page or the network update option in the SYSTEM → Updates menu.
  • Restrict administrative access to the XWEB Pro by limiting the IP ranges allowed to log in or by placing the device behind a secure firewall or VPN tunnel.
  • Implement network segmentation or firewall rules to block or monitor traffic to the get setup endpoint, reducing the attack surface for untrusted devices.

Generated by OpenCVE AI on June 4, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route, leading to remote code execution. An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route.

Mon, 09 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Tue, 03 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route, leading to remote code execution.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-06-04T21:22:07.283Z

Reserved: 2026-02-05T16:55:52.410Z

Link: CVE-2026-25109

cve-icon Vulnrichment

Updated: 2026-03-03T01:26:05.045Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T01:16:19.560

Modified: 2026-06-04T22:16:52.917

Link: CVE-2026-25109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T22:30:25Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')