PatchSiren cyber security CVE debrief
CVE-2026-25109 Copeland CVE debrief
CVE-2026-25109 is a high-severity OS command injection issue reported in XWEB Pro version 1.12.1 and earlier. According to the CISA CSAF advisory published on 2026-02-26, an authenticated attacker can inject malicious input into the devices field while accessing the get setup route and achieve remote code execution on the system. The advisory says a fix is available and recommends updating to the latest version.
- Vendor
- Copeland
- Product
- XWEB 300D PRO
- CVSS
- HIGH 8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-26
- Original CVE updated
- 2026-02-26
- Advisory published
- 2026-02-26
- Advisory updated
- 2026-02-26
Who should care
Operators and administrators of XWEB Pro deployments, especially environments exposing the management interface to remote users or broader network segments. Security teams responsible for OT/industrial control system management interfaces should prioritize this advisory because it affects an authenticated path to remote code execution.
Technical summary
The source advisory describes an OS command injection weakness in XWEB Pro version 1.12.1 and prior. The vulnerable flow is tied to the get setup route, where malicious input in the devices field can be interpreted as a system command. The result is remote code execution by an authenticated attacker. The supplied CVSS 3.1 vector is AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, which aligns with a network-reachable issue requiring high privileges but potentially impacting confidentiality, integrity, and availability across scope.
Defensive priority
High
Recommended defensive actions
- Update XWEB Pro to the latest vendor-provided version using Copeland's software update page or the built-in SYSTEM -> Updates -> Network path if the device has internet access.
- Restrict access to XWEB Pro management interfaces to trusted administrative networks and accounts only.
- Review authentication and authorization controls around the get setup route and any administrative workflows that accept devices field input.
- Monitor for unusual administrative activity, especially unexpected setup changes or command-like input handling in logs.
- Validate that backup, recovery, and incident-response procedures are ready in case the management system is compromised.
Evidence notes
This debrief is based on the CISA CSAF advisory 'Copeland XWEB and XWEB Pro' (ICSA-26-057-10), published and modified on 2026-02-26. The advisory explicitly states that XWEB Pro version 1.12.1 and prior are affected, that the flaw is an OS command injection reachable through the get setup route and devices field, and that Copeland provides a fix. No KEV entry was included in the supplied data.
Official resources
-
CVE-2026-25109 CVE record
CVE.org
-
CVE-2026-25109 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in the CSAF advisory on 2026-02-26. The supplied record shows the same date for publication and modification, and no Known Exploited Vulnerabilities listing was provided.