PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-20797 Copeland CVE debrief

CVE-2026-20797 is a medium-severity vulnerability affecting Copeland XWEB Pro firmware versions 1.12.1 and earlier on the affected product lines listed by NVD. The issue is a stack-based buffer overflow in an API route that can be triggered by an unauthenticated attacker under adjacent-network conditions, leading to stack corruption and termination of the program. The published record does not describe confirmed code execution or data exposure. For defenders, this is primarily a resilience and exposure-management issue: if the affected XWEB Pro devices are reachable from untrusted or loosely controlled adjacent networks, they should be prioritized for upgrade and network restriction. The available references point to Copeland’s software update page and the CISA/ICS advisory for mitigation guidance.

Vendor
Copeland
Product
CVE-2026-20797
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-02-27
Original CVE updated
2026-05-10
Advisory published
2026-02-27
Advisory updated
2026-05-10

Who should care

Operators and defenders responsible for Copeland XWEB 300D Pro, XWEB 500D Pro, and XWEB 500B Pro firmware at version 1.12.1 or earlier, especially where the devices are reachable from adjacent networks or shared operational segments.

Technical summary

NVD lists a stack-based buffer overflow in an API route affecting Copeland XWEB Pro firmware on several product CPEs, with vulnerable versions ending at 1.12.1. The CVSS v3.1 vector is AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, which indicates an unauthenticated attack path requiring adjacent-network access and resulting in low availability impact. NVD also maps the weakness to CWE-787 and CWE-121. The record’s impact statement is limited to stack corruption and program termination.

Defensive priority

Medium. The issue is unauthenticated and low-complexity, but the exposure appears constrained to adjacent-network conditions and the reported impact is limited to availability. Prioritize environments where these controllers are reachable from shared plant, building, or management networks.

Recommended defensive actions

  • Identify Copeland XWEB Pro deployments and confirm whether any affected firmware is at version 1.12.1 or earlier.
  • Apply the vendor-provided software update or remediation guidance referenced by Copeland and CISA.
  • Restrict network reachability to the API routes and management interfaces, especially from adjacent or shared operational segments.
  • Segment affected devices from broader enterprise and guest networks to reduce adjacent-network exposure.
  • Monitor for repeated crashes, service restarts, or other symptoms consistent with stack corruption.
  • Review asset inventories and ensure the affected CPE families are accounted for in vulnerability management workflows.

Evidence notes

This debrief is based on the NVD modified record for CVE-2026-20797, which includes the CVSS vector, CWE mappings, vulnerable CPEs, and references to CISA/ICS and Copeland resources. The record published by NVD states affected versions through 1.12.1 for Copeland XWEB 300D Pro, XWEB 500D Pro, and XWEB 500B Pro firmware, while the hardware CPE entries are marked not vulnerable. The source corpus does not provide exploit details beyond the buffer overflow location and the stated effect of stack corruption and program termination.

Official resources

Published by NVD on 2026-02-27 and modified on 2026-05-10. The source corpus cites CISA/ICS and Copeland references for additional mitigation context.