CVE-2026-24663 Copeland CVE debrief

Who should care

Operators, maintenance teams, and administrators responsible for Copeland XWEB Pro deployments should prioritize this advisory, especially where XWEB Pro version 1.12.1 or earlier is in use.

Technical summary

The advisory describes an unauthenticated OS command injection path in XWEB Pro. The attacker model does not require credentials, and the vulnerable interaction is the libraries installation route, where malicious request-body input can be used to execute commands on the target system. The supplied CVSS vector is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (score 9.0), indicating high impact if successfully exploited.

Defensive priority

Urgent. This is a critical, unauthenticated remote code execution condition in an exposed industrial/OT product, so affected systems should be updated as soon as possible.

Recommended defensive actions

• Update XWEB Pro to the latest version using Copeland's software update page referenced in the advisory.
• If the device has internet access and a logged-in administrator, use SYSTEM -- Updates | Network to update directly from Copeland servers.
• Verify whether any deployed Copeland XWEB Pro systems are running version 1.12.1 or earlier and treat them as affected until patched.
• Use the CISA ICS recommended practices linked in the advisory as supplementary defensive guidance.

Evidence notes

Primary evidence comes from CISA CSAF advisory ICSA-26-057-10, published 2026-02-26T07:00:00Z, which states that XWEB Pro version 1.12.1 and prior are affected by an OS command injection that may permit unauthenticated remote code execution through the libraries installation route. The supplied metadata also lists the CVSS 3.1 vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H and does not mark the issue as KEV-listed. The prompt's vendor metadata is low-confidence/review-needed, so the product naming here follows the advisory wording rather than normalized vendor attribution.

Official resources