Description
An OS command injection



vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
supplying a crafted firmware update file via the firmware update route.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via OS command injection
Action: Immediate Patch
AI Analysis

Impact

An OS command injection flaw exists in the firmware update process of Copeland XWEB Pro systems. An attacker who is authenticated to the device can supply a specially crafted firmware file, causing the underlying operating system to execute arbitrary commands. The result is full remote code execution on the affected appliance. The vulnerability is specifically tied to version 1.12.1 and earlier, and relies on an insufficient validation of firmware update inputs, a classic root‑cause of CWE‑78.

Affected Systems

The flaw affects the Copeland XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO models running firmware 1.12.1 or older. All three product lines can be updated through the Copeland software update portal or via the local SYSTEM → Updates > Network interface.

Risk and Exploitability

The CVSS score of 8.0 indicates high severity, but the EPSS score is below 1 %, suggesting a low exploitation probability at present. Because the exploit requires prior authentication and a crafted update file, the attack vector is likely an authenticated firmware upload over the local network or via remote update if the device is internet‑connected. The vulnerability is not listed in the CISA KEV catalog, which further reduces the perceived threat level, yet the impact of remote code execution warrants swift remediation.

Generated by OpenCVE AI on April 16, 2026 at 15:43 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Update the XWEB Pro firmware to the latest version using Copeland’s software update portal or by selecting the Network update option in the SYSTEM → Updates menu.
  • Confirm that firmware uploads are only accepted from authenticated users; restrict the update API to local administrative sessions whenever possible to prevent unauthorized exploitation.
  • Apply general input validation hardening for all firmware upload endpoints, ensuring that the submitted file matches the expected format and checksum before processing, to guard against future command‑injection attempts.

Generated by OpenCVE AI on April 16, 2026 at 15:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 09 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Mon, 02 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:00:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted firmware update file via the firmware update route.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-03-02T14:30:03.420Z

Reserved: 2026-02-05T16:55:52.380Z

Link: CVE-2026-25195

cve-icon Vulnrichment

Updated: 2026-03-02T14:29:59.458Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T01:16:19.937

Modified: 2026-03-09T19:49:34.737

Link: CVE-2026-25195

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T15:45:16Z

Weaknesses