PatchSiren cyber security CVE debrief
CVE-2026-25085 Copeland CVE debrief
CVE-2026-25085 is a high-severity authentication bypass in Copeland XWEB Pro version 1.12.1 and earlier. The issue occurs when an unexpected return value from the authentication routine is later treated as legitimate, allowing access without proper authentication. CISA published the advisory on 2026-02-26 and provided vendor remediation guidance to update affected XWEB Pro installations.
- Vendor
- Copeland
- Product
- XWEB 300D PRO
- CVSS
- HIGH 8.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Operators and administrators of Copeland XWEB Pro deployments, especially environments exposing management interfaces or relying on the affected authentication path. OT/ICS security teams should prioritize this advisory because the flaw is network-reachable, requires no privileges or user interaction, and can undermine access controls.
Technical summary
The advisory describes an authentication logic flaw in Copeland XWEB Pro 1.12.1 and prior. An unexpected return value from the authentication routine is later processed as though it were valid, creating an authentication bypass. The published CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L, indicating remote exploitability with no privileges or user interaction required and potential impact to confidentiality, integrity, and availability.
Defensive priority
High. The combination of unauthenticated network exposure, straightforward attack conditions, and direct authentication bypass makes this a priority patch for any affected XWEB Pro deployment.
Recommended defensive actions
- Update Copeland XWEB Pro to the latest version using the vendor software update page provided in the advisory.
- If the device has internet access and is already logged in, use the vendor-supported SYSTEM -> Updates | Network update path to retrieve updates directly from Copeland servers.
- Inventory all XWEB Pro deployments and confirm which systems are at version 1.12.1 or earlier.
- Restrict administrative access to affected systems until updates are applied, using segmentation and least-privilege access controls consistent with CISA ICS recommended practices.
- Review authentication and access logs for unusual successful logins or access attempts around the advisory publication window.
Evidence notes
The core facts come from the CISA CSAF advisory for ICSA-26-057-10 and its linked references. The source states: 'A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior' and that an unexpected authentication return value is later treated as legitimate, resulting in authentication bypass. The advisory was initially published on 2026-02-26 with no later modifications in the supplied timeline. The prompt’s vendor metadata is low confidence and the product naming in the source is somewhat inconsistent, so the debrief stays aligned to the advisory text rather than expanding beyond it.
Official resources
-
CVE-2026-25085 CVE record
CVE.org
-
CVE-2026-25085 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICSA-26-057-10 on 2026-02-26; no Known Exploited Vulnerabilities listing is provided in the supplied data.