CVE-2026-24517
8
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
An OS command injection
vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the firmware update route.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Copeland | Copeland XWEB 300D PRO | 0 <= 1.12.1 | affected |
| Copeland | Copeland XWEB 500D PRO | 0 <= 1.12.1 | affected |
| Copeland | Copeland XWEB 500B PRO | 0 <= 1.12.1 | affected |
Weaknesses
- CWE-78: CWE-78
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.