Description
An OS command injection


vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
injecting malicious input into the devices field when accessing the get
setup route, leading to remote code execution.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw exists in the XWEB Pro firmware that allows an authenticated attacker to supply malicious input in the devices field of the get setup route, leading to execution of arbitrary operating system commands. The vulnerability is mapped to CWE‑78, which denotes command injection, and can give the attacker full control over the device if exploited successfully. The description states that the flaw can result in remote code execution on the system, underscoring the high severity of the potential impact.

Affected Systems

The affected products are Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO. The flaw exists in firmware versions 1.12.1 and earlier for each of these models. Users running those firmware releases should verify the exact build number of their device firmware and ensure it matches an unpatched version.

Risk and Exploitability

The CVSS score of 8.0 categorizes this vulnerability as high, while the EPSS score of less than 1% indicates a very low probability of exploitation at this time. The flaw is not listed in the CISA KEV catalog. An attacker must first authenticate to the device through valid credentials, implying that compromise would most likely occur from an internal or compromised network environment. Once authenticated, the attacker can construct a malicious request to the get setup route, inject commands, and achieve execution with system privilege, potentially gaining full control over the device.

Generated by OpenCVE AI on April 16, 2026 at 15:42 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Apply the Copeland firmware update to a version newer than 1.12.1 using the software update page or the network update option in the SYSTEM → Updates menu.
  • Restrict administrative access to the XWEB Pro by limiting the IP ranges allowed to log in or by placing the device behind a secure firewall or VPN tunnel.
  • Implement network segmentation or firewall rules to block or monitor traffic to the get setup endpoint, reducing the attack surface for untrusted devices.

Generated by OpenCVE AI on April 16, 2026 at 15:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Tue, 03 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route, leading to remote code execution.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-03T01:26:09.158Z

Reserved: 2026-02-05T16:55:52.410Z

Link: CVE-2026-25109

cve-icon Vulnrichment

Updated: 2026-03-03T01:26:05.045Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T01:16:19.560

Modified: 2026-03-09T19:54:08.713

Link: CVE-2026-25109

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:45:16Z

Weaknesses