PatchSiren cyber security CVE debrief
CVE-2026-23702 Copeland CVE debrief
CVE-2026-23702 describes an authenticated OS command injection in Copeland XWEB Pro version 1.12.1 and earlier. The advisory says malicious input in the server username field of the import preconfiguration action in the API V1 route can lead to remote code execution on the system. This is a high-priority issue for operators of affected XWEB Pro deployments, especially in OT/ICS environments.
- Vendor
- Copeland
- Product
- XWEB 300D PRO
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Administrators and operators of Copeland XWEB Pro deployments, especially those running version 1.12.1 or earlier. Security teams responsible for OT/ICS management interfaces, API access control, and patching should prioritize this issue.
Technical summary
According to the CISA CSAF advisory, XWEB Pro version 1.12.1 and prior is affected by an OS command injection flaw. An authenticated attacker can supply malicious input through the server username field during the import preconfiguration action in the API V1 route, which can result in remote code execution. The supplied advisory assigns a CVSS 3.1 vector of AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating a network-reachable, privileged, high-impact flaw.
Defensive priority
High. Although the attacker must be authenticated, the impact is remote code execution in an industrial/OT management product, and the advisory provides a fix. Patch as soon as operationally feasible and reduce exposure to the management interface.
Recommended defensive actions
- Update Copeland XWEB Pro to the latest available version using Copeland's software update page.
- If the system has internet access and Copeland's supported workflow applies, update directly from Copeland servers via SYSTEM -- Updates | Network.
- Restrict access to XWEB Pro administrative and API interfaces to trusted management networks and authorized users only.
- Review authentication and authorization for accounts that can reach the import preconfiguration action in API V1.
- Monitor logs for unexpected use of import preconfiguration workflows or anomalous input associated with the server username field.
- Apply standard CISA ICS recommended practices and defense-in-depth guidance to minimize exposure.
Evidence notes
The source CSAF advisory published by CISA on 2026-02-26 states that XWEB Pro 1.12.1 and earlier is affected by an OS command injection vulnerability in the API V1 import preconfiguration action, where malicious input in the server username field can yield remote code execution. The advisory's remediation section recommends updating to the latest version and notes an alternative direct update path via Copeland servers. No KEV entry is included in the supplied data.
Official resources
-
CVE-2026-23702 CVE record
CVE.org
-
CVE-2026-23702 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and CSAF record on 2026-02-26. The supplied data does not include a KEV listing or due date.