PatchSiren cyber security CVE debrief
CVE-2026-20764 Copeland CVE debrief
CVE-2026-20764 is a high-severity OS command injection issue in Copeland XWEB Pro. According to the CISA CSAF advisory published on 2026-02-26, an authenticated attacker can supply malicious input through the device hostname configuration and trigger remote code execution during system setup. The advisory recommends updating to the latest XWEB Pro version.
- Vendor
- Copeland
- Product
- XWEB 300D PRO
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Organizations operating Copeland XWEB Pro systems, especially the listed XWEB 300D PRO, XWEB 500D PRO, and XWEB 500B PRO models running version 1.12.1 or earlier. OT, facilities, and industrial environments that rely on these devices should prioritize this issue because successful exploitation can result in remote code execution on the system.
Technical summary
The source advisory describes an OS command injection vulnerability in XWEB Pro version 1.12.1 and prior. The attack requires authentication and leverages malicious data entered via the device hostname configuration, which is later processed during system setup. The resulting impact is remote code execution. The advisory’s CVSS v3.1 vector is AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, reflecting the need for authenticated access and the potential for broad system impact.
Defensive priority
High. This is a remotely reachable authenticated RCE in an OT-adjacent product, and the vendor provides a patch. Even with high privileges required, the impact is severe enough to justify prompt remediation and access review.
Recommended defensive actions
- Update XWEB Pro to the latest available version using Copeland’s software update page.
- If the device has internet access, use the on-device SYSTEM → Updates → Network update path to pull the fix directly from Copeland servers.
- Review privileged account access to XWEB Pro and restrict who can change hostname or setup-related configuration.
- Check all deployed XWEB Pro systems for version 1.12.1 or earlier, including the listed XWEB 300D PRO, XWEB 500D PRO, and XWEB 500B PRO models.
- Validate that updates completed successfully and document remediation status for OT asset inventories.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-057-10, published 2026-02-26 and initially released with the source record. The advisory states that XWEB Pro version 1.12.1 and earlier are affected by an OS command injection issue that can lead to remote code execution when malicious hostname input is processed during system setup. The source also provides vendor remediation guidance to update to the latest version via Copeland’s update page or directly on the device. No KEV entry or in-the-wild exploitation claim is present in the supplied source corpus.
Official resources
-
CVE-2026-20764 CVE record
CVE.org
-
CVE-2026-20764 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in CISA CSAF advisory ICSA-26-057-10 on 2026-02-26. The supplied source corpus does not indicate KEV listing or known ransomware use.