PatchSiren cyber security CVE debrief
CVE-2026-24452 Copeland CVE debrief
CVE-2026-24452 affects Copeland XWEB Pro 1.12.1 and earlier and can let an authenticated attacker reach remote code execution by submitting a crafted template file through the devices route. The advisory was published by CISA on 2026-02-26 and includes a fix from Copeland; affected operators should prioritize updating exposed or internet-connected deployments.
- Vendor
- Copeland
- Product
- XWEB 300D PRO
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
OT/ICS operators running Copeland XWEB Pro, including XWEB 300D PRO, XWEB 500D PRO, and XWEB 500B PRO instances; security teams responsible for industrial management systems; and administrators who allow authenticated users to access the devices route or system update functions.
Technical summary
The advisory describes an OS command injection weakness (CWE-78) in XWEB Pro version 1.12.1 and prior. A successful attack requires authentication and uses a crafted template file sent to the devices route, which can result in remote code execution on the system. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating high impact with high attack complexity and privileged access requirements.
Defensive priority
High priority for OT/ICS environments. Because the issue can lead to remote code execution on a management system and the vendor has already published a fix, remediation should be scheduled immediately for any affected deployment that is reachable by multiple users or connected to broader networks.
Recommended defensive actions
- Upgrade XWEB Pro to the latest Copeland-provided version using the software update page referenced in the advisory.
- If the device has internet access, use the SYSTEM -- Updates | Network path described by Copeland to update directly from Copeland servers.
- Restrict and review authenticated access to XWEB Pro administrative functions, especially routes that accept template files.
- Inventory all XWEB Pro deployments and confirm whether they are at version 1.12.1 or earlier.
- Prioritize remediation on systems that are network-accessible or support critical building/industrial operations.
- Monitor for unexpected administrative activity or file submissions associated with the devices route until systems are updated.
Evidence notes
Source evidence states: "An OS Command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted template file to the devices route." The advisory metadata includes SSVCv2/E:N/A:N/2026-02-25T07:00:00.000000Z, the CVE and source advisory were published on 2026-02-26T07:00:00.000Z, and the remediation section says Copeland has provided a fix and recommends updating XWEB Pro. The corpus does not include a KEV entry.
Official resources
-
CVE-2026-24452 CVE record
CVE.org
-
CVE-2026-24452 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published ICSA-26-057-10 and CVE-2026-24452 on 2026-02-26. The supplied corpus shows no KEV entry and no other exploitation evidence beyond the advisory description and SSVC metadata.