PatchSiren cyber security CVE debrief
CVE-2026-20910 Copeland CVE debrief
CISA published ICSA-26-057-10 on 2026-02-26 for CVE-2026-20910. The advisory describes an OS command injection in XWEB Pro version 1.12.1 and earlier: an authenticated attacker can inject malicious input into the devices field of the firmware update action and achieve remote code execution on the system. Copeland states that a fix is available and provides update paths for affected deployments.
- Vendor
- Copeland
- Product
- XWEB 300D PRO
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Operators and administrators of Copeland XWEB Pro systems, OT/ICS security teams, patch managers, and anyone who can approve or perform firmware updates on affected devices.
Technical summary
This is a high-severity command-injection issue in Copeland XWEB Pro affecting version 1.12.1 and prior. The supplied CVSS v3.1 vector is AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating network exposure, high privilege requirements, no user interaction, and potential impact across confidentiality, integrity, and availability. The vulnerable path is the firmware update action, specifically the devices field, where malicious input can lead to OS command execution and then remote code execution.
Defensive priority
High — prioritize remediation for all affected XWEB Pro instances, especially systems where authenticated administrative access is broadly available or insufficiently monitored.
Recommended defensive actions
- Update XWEB Pro to the latest Copeland-fixed version using the vendor software update page referenced in the advisory.
- If direct update is used, follow Copeland's documented SYSTEM -- Updates | Network method only on authorized, managed systems.
- Inventory all XWEB Pro deployments and confirm whether any are running version 1.12.1 or earlier.
- Review and restrict access to authenticated administrative and firmware-update functions; verify that only approved personnel can perform update actions.
- Monitor for unusual firmware update activity or unexpected command execution around the update workflow.
- Apply CISA industrial control system hardening and defense-in-depth practices to reduce exposure around management interfaces and privileged accounts.
Evidence notes
Primary evidence comes from the CISA CSAF advisory ICSA-26-057-10, published 2026-02-26, which states the affected product family, vulnerable version range, attack prerequisite, impact, and remediation options. The supplied timeline matches the advisory publication date, and no KEV date or active exploitation note was supplied in the corpus. The CVE/CISA reference links are official validation sources; the advisory itself is the basis for the vulnerability summary.
Official resources
-
CVE-2026-20910 CVE record
CVE.org
-
CVE-2026-20910 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed in the CISA ICS advisory ICSA-26-057-10 on 2026-02-26. The supplied corpus does not include a CISA KEV listing or a ransomware-campaign association.