Impact
An OS command injection flaw in XWEB Pro version 1.12.1 or earlier permits an authenticated attacker to inject arbitrary shell commands by entering malicious data into the Wi‑Fi SSID and/or password fields. When the firmware processes the configuration, the injected command is executed, giving the attacker remote code execution. The weakness is CWE-78, indicating that external input is not properly validated before being passed to the operating system.
Affected Systems
Copeland XWEB 300D PRO, Copeland XWEB 500B PRO and Copeland XWEB 500D PRO devices that run firmware version 1.12.1 or earlier are vulnerable. The vendor lists these product lines in the advisory and provides a single firmware update that addresses the flaw.
Risk and Exploitability
The CVSS base score of 8.0 denotes a high severity vulnerability while the EPSS score of 2 % indicates that automated exploitation is unlikely but not impossible. The flaw requires authentication; an attacker must have access to the device’s Wi‑Fi configuration interface to modify the SSID/password fields, and the configuration must then be processed for the malicious command to run. Because it is not in the CISA KEV catalog, there are currently no known widespread attacks, but the high impact warrants immediate mitigation.
OpenCVE Enrichment