CVE-2026-3037
8
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is later processed during system setup, leading to remote code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Copeland | Copeland XWEB 300D PRO | 0 <= 1.12.1 | affected |
| Copeland | Copeland XWEB 500D PRO | 0 <= 1.12.1 | affected |
| Copeland | Copeland XWEB 500B PRO | 0 <= 1.12.1 | affected |
Weaknesses
- CWE-78: CWE-78
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10
- https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.