CVE-2026-25037

CVE-2026-25037 is an OS command injection vulnerability (CWE-78) affecting XWEB Pro version 1.12.1 and prior versions. The flaw allows an authenticated attacker to achieve remote code execution (RCE) on the affected system by configuring a maliciously crafted LCD state, which is subsequently processed during system setup. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.

Exploitation requires network access and high privileges (PR:H), with high attack complexity (AC:H) but no user interaction (UI:N). A successful attack enables the adversary to execute arbitrary operating system commands remotely, potentially leading to full control over the system, including high impacts on confidentiality, integrity, and availability in a scoped environment.

CISA's ICS Advisory (ICSA-26-057-10) details the vulnerability, with corresponding machine-readable data available via the Cybersecurity and Infrastructure Security Agency's GitHub CSAF repository. Mitigation guidance and patches are referenced in the Dixell/Copeland system software update page, recommending users apply the latest updates to address the issue.