CVE-2026-24517

HIGH

XWEB Pro <1.12.1 - Command Injection

Title source: llm

Description

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the firmware update route.

References (3)

[Third Party Advisory] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json

View Writeup ZIP pw:eip

[Various Sources] https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10

Scores

CVSS v3 8.0

EPSS 0.0032

EPSS Percentile 55.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-78

Status published

Affected Products (3)

copeland/xweb_500b_pro_firmware < 1.12.1

copeland/xweb_300d_pro_firmware < 1.12.1

copeland/xweb_500d_pro_firmware < 1.12.1

Timeline

Published Feb 27, 2026

Tracked Since Feb 27, 2026