PatchSiren cyber security CVE debrief
CVE-2026-25105 Copeland CVE debrief
CVE-2026-25105 is a high-severity OS command injection vulnerability in Copeland XWEB Pro. According to CISA’s advisory, an authenticated attacker can inject malicious input into parameters of the Modbus command tool in the debug route and reach remote code execution on the system. Copeland indicates a fix is available and recommends upgrading affected XWEB Pro systems without delay.
- Vendor
- Copeland
- Product
- XWEB 300D PRO
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
OT and facilities teams running Copeland XWEB Pro, especially administrators responsible for exposed management interfaces, debug features, or Modbus-related tooling. Security teams supporting industrial control environments should also treat this as a priority because successful exploitation can lead to system-level code execution.
Technical summary
The advisory describes an OS command injection issue affecting XWEB Pro version 1.12.1 and earlier. The vulnerable input path is tied to parameters of the Modbus command tool in the debug route. The attacker must be authenticated, but if exploitation succeeds, the impact can be remote code execution on the affected system. The published CVSS vector reflects network reachability, high privileges required, no user interaction, and severe confidentiality, integrity, and availability impact.
Defensive priority
High. This is authenticated remote code execution in an industrial/OT-adjacent product, so exposed or broadly accessible management access increases risk even though privileges are required.
Recommended defensive actions
- Apply Copeland’s fix and update XWEB Pro to the latest available version using the vendor’s software update page.
- If the system has internet access and vendor guidance permits it, use the in-product update path: SYSTEM -- Updates | Network.
- Restrict access to XWEB Pro management and debug functionality to trusted administrative networks only.
- Review authentication accounts, roles, and recent administrative activity for suspicious use of the debug route or Modbus command tool.
- Follow CISA ICS recommended practices, including segmentation and least-privilege access for industrial control assets.
Evidence notes
All substantive claims here are taken from the supplied CISA CSAF advisory and its referenced official links. The advisory text states the vulnerability type, affected version boundary, authentication requirement, impacted path, and remote code execution outcome. The remediation text states that Copeland has provided a fix and gives update guidance. Timing context uses the advisory/CVE published date of 2026-02-26, not generation time.
Official resources
-
CVE-2026-25105 CVE record
CVE.org
-
CVE-2026-25105 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and CVE record on 2026-02-26T07:00:00.000Z. The SSVC marker in the source notes an exploitation-likelihood context of 2026-02-25T07:00:00.000Z, but that is not the publication date.