PatchSiren cyber security CVE debrief
CVE-2026-25721 Copeland CVE debrief
CVE-2026-25721 is an authenticated OS command injection issue in Copeland XWEB Pro version 1.12.1 and earlier. According to the CISA advisory, malicious input in the server username and/or password fields of the restore action in the API V1 route can lead to remote code execution on the system. The advisory references CWE-78 (OS Command Injection) and assigns a CVSS v3.1 vector of AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating a high-impact compromise path that still requires authenticated access and elevated privileges.
- Vendor
- Copeland
- Product
- XWEB 300D PRO
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Organizations running Copeland XWEB Pro, especially XWEB Pro deployments at version 1.12.1 or earlier, should treat this as a priority patching issue. OT/ICS operators, system administrators, and vendors or integrators managing Copeland XWEB environments should review exposure, access controls, and update status immediately.
Technical summary
The advisory describes an OS command injection vulnerability in the restore action of the API V1 route. An authenticated attacker can inject malicious input into the server username and/or password fields, which can result in remote code execution. The source material ties the issue to CWE-78 and notes affected XWEB Pro versions at 1.12.1 and prior. The published CVSS vector shows network access, high attack complexity, high privileges required, no user interaction, changed scope, and high confidentiality, integrity, and availability impact.
Defensive priority
High. The issue can enable remote code execution in an industrial/OT-adjacent product, but it requires authenticated access and elevated privileges. Patch quickly, verify account governance, and reduce administrative exposure while remediation is planned.
Recommended defensive actions
- Update XWEB Pro to the latest vendor-fixed version using Copeland's software update page referenced in the advisory.
- If internet access is available from an authenticated XWEB Pro session, use the vendor-described SYSTEM -- Updates | Network update path to obtain the fix from Copeland servers.
- Review and restrict authenticated access to XWEB Pro administrative functions, especially restore-related API V1 operations.
- Audit deployments to identify systems running XWEB Pro 1.12.1 or earlier and prioritize them for remediation.
- Validate that update procedures are completed successfully and document the post-update software version across affected assets.
Evidence notes
This debrief is based on CISA CSAF advisory ICSA-26-057-10 for CVE-2026-25721 and the advisory's remediation guidance. The advisory states the vulnerability, affected version boundary, attack prerequisites, impacted action/fields, and update options. No exploit code or unsupported impact claims are included.
Official resources
-
CVE-2026-25721 CVE record
CVE.org
-
CVE-2026-25721 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA's CSAF record shows Initial Publication on 2026-02-26T07:00:00.000Z, which is the appropriate advisory date to use for this issue.