Cyber Posture

CVE-2026-24663

Critical

Published: 27 February 2026

Published
27 February 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score 9.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0227 84.7th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on the system by sending a crafted request to the libraries installation route and injecting malicious input into…

more

the request body.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the insufficient input validation in the libraries installation route that enables OS command injection by enforcing comprehensive checks on malicious request body inputs.

SI-2 Flaw Remediation good match
prevent

Mandates timely flaw remediation through application of vendor-provided software updates specifically referenced for this vulnerability, eliminating the injection flaw.

SI-9 Information Input Restrictions partial match
prevent

Restricts the format, length, or character sets of inputs to the libraries installation route, reducing the feasibility of crafting malicious payloads for command injection.

Security SummaryAI

CVE-2026-24663 is an OS command injection vulnerability (CWE-78) affecting XWEB Pro version 1.12.1 and prior versions. The flaw exists in the libraries installation route, where insufficient input validation allows malicious payloads to be processed, leading to arbitrary command execution. Published on 2026-02-27, it carries a CVSS v3.1 base score of 9.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating critical severity due to its potential for high-impact remote exploitation.

An unauthenticated attacker with network access can exploit the vulnerability by sending a crafted request to the libraries installation route and injecting malicious input into the request body. Despite requiring high attack complexity, successful exploitation enables remote code execution on the affected system, granting attackers full control over confidentiality, integrity, and availability with a scope change to related components.

CISA's ICS Advisory ICSA-26-057-10 provides details on the vulnerability, available at https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10 and in CSAF format at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json. Software updates for mitigation are referenced at https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate.

Details

CWE(s)
CWE-78

Affected Products

copeland
xweb 500b pro firmware
≤ 1.12.1
copeland
xweb 300d pro firmware
≤ 1.12.1
copeland
xweb 500d pro firmware
≤ 1.12.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
Why these techniques?

The vulnerability is an unauthenticated OS command injection in a public-facing web application endpoint (libraries installation route), directly enabling exploitation of public-facing applications (T1190) to achieve remote code execution via command and scripting interpreter (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References