CVE-2026-25721

Published Feb 27, 2026

Last updated 3 months ago

CVSS high 8.0

Overview

Description: An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the server username and/or password fields of the restore action in the API V1 route.
Source: ics-cert@hq.dhs.gov
NVD status: Analyzed
Products: xweb_300d_pro_firmware, xweb_500d_pro_firmware, xweb_500b_pro_firmware

Risk scores

CVSS 3.1

Type: Primary
Base score: 8.8
Impact score: 5.9
Exploitability score: 2.8
Vector string: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH

Weaknesses

ics-cert@hq.dhs.gov: CWE-78

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "BF93AA67-7ABF-45C8-8376-7A28F7D65464",
            "versionEndIncluding": "1.12.1",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      },
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "AEA10B9B-531A-4775-B32D-AC743D696126",
            "vulnerable": false
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "088F312E-06DF-4B90-A478-A6B5A39DE0F0",
            "versionEndIncluding": "1.12.1",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      },
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "A524988E-E22F-4B0F-AEE6-46B3F103989C",
            "vulnerable": false
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ],
    "operator": "AND"
  },
  {
    "nodes": [
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*",
            "matchCriteriaId": "E13AD164-C82A-4D6C-84C0-83EB8B0A611C",
            "versionEndIncluding": "1.12.1",
            "vulnerable": true
          }
        ],
        "negate": false,
        "operator": "OR"
      },
      {
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*",
            "matchCriteriaId": "1707F67B-6365-4065-812C-7CC596C6CFF1",
            "vulnerable": false
          }
        ],
        "negate": false,
        "operator": "OR"
      }
    ],
    "operator": "AND"
  }
]

References

Sources include official advisories and independent security research.

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

Related CVEs

References