CVE-2026-25111 Copeland CVE debrief

Who should care

Operators and administrators responsible for Copeland XWEB Pro appliances, especially XWEB 300D PRO, XWEB 500D PRO, and XWEB 500B PRO systems running version 1.12.1 or earlier. OT/ICS teams that manage patching, remote access, and device administration should treat this as a priority.

Technical summary

The advisory describes an OS command injection in XWEB Pro that is triggered through requests to the restore route. The attack requires an authenticated attacker and can result in remote code execution on the affected system. The supplied CVSS vector indicates network access, high privileges, no user interaction, and high impact to confidentiality, integrity, and availability.

Defensive priority

High — patch as soon as operationally feasible, with particular attention to OT change-control windows and any exposed management interfaces.

Recommended defensive actions

• Update XWEB Pro to the latest vendor-recommended version using Copeland’s software update page.
• If the device has internet access and the environment permits, use the built-in SYSTEM -> Updates | Network update path described by Copeland.
• Restrict administrative access to trusted users only and review whether the restore functionality is exposed more broadly than necessary.
• Apply ICS defense-in-depth practices such as network segmentation and limiting access to management services, using the CISA recommended practices linked in the advisory.

Evidence notes

Primary evidence comes from the CISA CSAF advisory ICSA-26-057-10, published 2026-02-26, which states that XWEB Pro version 1.12.1 and prior are affected by an authenticated OS command injection leading to remote code execution through the restore route. The same source lists Copeland remediation guidance to update XWEB Pro to the latest version. The supplied source data also includes SSVCv2/E:N/A:N with timestamp 2026-02-25T07:00:00.000000Z.

Official resources