XWEB Pro versions 1.12.1 and prior allow attackers to control the system

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.8

XWEB Pro versions 1.12.1 and prior allow attackers to control the system

CVE-2026-25037

Summary

A security flaw in XWEB Pro versions 1.12.1 and earlier allows an attacker who has already logged in to the system to gain control over the computer. This could allow the attacker to do anything they want on the computer, including deleting or stealing files. Update to the latest version of XWEB Pro to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
copeland	xweb_300d_pro_firmware	<= 1.12.1	–
copeland	xweb_500d_pro_firmware	<= 1.12.1	–
copeland	xweb_500b_pro_firmware	<= 1.12.1	–

Original title

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by configuring a maliciously...

Original description

An OS command injection

vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an
authenticated attacker to achieve remote code execution on the system by
configuring a maliciously crafted LCD state which is later processed
during system setup, enabling remote code execution.

nvd CVSS3.1 8.8

Vulnerability type

CWE-78 OS Command Injection

https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-05... Third Party Advisory
https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate Product
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10 Third Party Advisory US Government Resource

Published: 27 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026