Description
An OS command injection vulnerability exists in XWEB Pro version 1.12.1
and prior, enabling an authenticated attacker to achieve remote code
execution on the system by modifying malicious input injected into the
MBird SMS service URL and/or code via the utility route which is later
processed during system setup, leading to remote code execution.
Published: 2026-02-27
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Now
AI Analysis

Impact

An operating system command injection flaw exists in XWEB Pro firmware versions 1.12.1 and earlier. By inserting malicious commands into the MBird SMS service URL or into code passed to the utility‑route during system setup, an attacker who has authenticated access can cause the system to execute arbitrary operating‑system commands. This leads to full compromise of the device, exposing all stored data and allowing the attacker to control the system. The weakness falls under CWE‑78, OS Command Injection.

Affected Systems

The vulnerability affects Copeland XWEB models 300D PRO, 500B PRO, and 500D PRO. Firmware versions prior to 1.12.1 are impacted, and the affected CPE identifiers include product and firmware models for XWEB 300D PRO, XWEB 500B PRO, and XWEB 500D PRO. Users should verify the firmware version on each device; any device running an old XWEB Pro firmware is susceptible.

Risk and Exploitability

The CVSS base score of 8.0 reflects a high‑severity flaw with potential for complete system compromise. The EPSS score is less than 1 %, suggesting exploitation is unlikely in current threat environment, and the flaw is not listed in the CISA KEV catalog. Nonetheless, because the attack path requires authenticated remote access and involves injection of OS commands, it can lead to remote code execution. Users with devices exposed to the internet are at particular risk, so the vulnerability should be remediated as soon as practicable.

Generated by OpenCVE AI on April 17, 2026 at 14:06 UTC.

Remediation

Vendor Solution

Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

OpenCVE Recommended Actions

  • Upgrade the XWEB Pro firmware to the latest release available from Copeland’s software update page or via the device’s SYSTEM → Updates → Network menu.
  • If immediate firmware replacement cannot be performed, disable external access to the MBird SMS service URL and block use of the utility‑route interface until the update is installed.
  • Apply least‑privilege authentication controls for device log‑in accounts so that only authorized personnel can use features that may expose the utility‑route functionality.

Generated by OpenCVE AI on April 17, 2026 at 14:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware
CPEs cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*
cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*
Vendors & Products Copeland xweb 300d Pro
Copeland xweb 300d Pro Firmware
Copeland xweb 500b Pro
Copeland xweb 500b Pro Firmware
Copeland xweb 500d Pro
Copeland xweb 500d Pro Firmware

Fri, 27 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 27 Feb 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro
Vendors & Products Copeland
Copeland copeland Xweb 300d Pro
Copeland copeland Xweb 500b Pro
Copeland copeland Xweb 500d Pro

Fri, 27 Feb 2026 01:30:00 +0000

Type Values Removed Values Added
Description An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is later processed during system setup, leading to remote code execution.
Title Copeland XWEB and XWEB Pro OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Copeland Copeland Xweb 300d Pro Copeland Xweb 500b Pro Copeland Xweb 500d Pro Xweb 300d Pro Xweb 300d Pro Firmware Xweb 500b Pro Xweb 500b Pro Firmware Xweb 500d Pro Xweb 500d Pro Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2026-02-27T19:09:35.935Z

Reserved: 2026-02-23T16:21:11.631Z

Link: CVE-2026-3037

cve-icon Vulnrichment

Updated: 2026-02-27T19:09:32.442Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-27T02:16:20.330

Modified: 2026-02-28T01:13:53.703

Link: CVE-2026-3037

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:15:21Z

Weaknesses