CVE-2026-20764
Published: 27 February 2026
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2026-20764 is an OS command injection vulnerability (CWE-78) in XWEB Pro version 1.12.1 and prior. Published on 2026-02-27, it enables an authenticated attacker to achieve remote code execution on the affected system by supplying malicious input through the device hostname configuration, which is subsequently processed during system setup.
The vulnerability has a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating exploitation over the network with high attack complexity and requiring high privileges, but no user interaction. A suitably privileged authenticated attacker can inject OS commands via the hostname field to execute arbitrary code remotely during setup processes.
CISA ICS Advisory ICSA-26-057-10 and the vendor's system software update page provide further details on mitigations. Additional resources are available at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json, https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate, and https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection in a network-accessible configuration interface (likely web-based) enables exploitation of public-facing applications (T1190), remote services (T1210), and direct abuse of command interpreters for RCE (T1059).