CVE-2026-3037

HIGH

XWEB Pro <=1.12.1 - Command Injection

Title source: llm

Description

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is later processed during system setup, leading to remote code execution.

References (3)

[Third Party Advisory] https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json

View Writeup ZIP pw:eip

[Various Sources] https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate

[Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10

Scores

CVSS v3 8.0

EPSS 0.0014

EPSS Percentile 34.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-78

Status published

Affected Products (3)

copeland/xweb_300d_pro_firmware < 1.12.1

copeland/xweb_500d_pro_firmware < 1.12.1

copeland/xweb_500b_pro_firmware < 1.12.1

Timeline

Published Feb 27, 2026

Tracked Since Feb 27, 2026