CVE-2026-25721
8
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the server username and/or password fields of the restore action in the API V1 route.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Copeland | Copeland XWEB 300D PRO | 0 <= 1.12.1 | affected |
| Copeland | Copeland XWEB 500D PRO | 0 <= 1.12.1 | affected |
| Copeland | Copeland XWEB 500B PRO | 0 <= 1.12.1 | affected |
Weaknesses
- CWE-78: CWE-78
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.