CVE-2026-25105

CVE-2026-25105 is an OS command injection vulnerability (CWE-78) affecting XWEB Pro version 1.12.1 and prior. The flaw resides in the Modbus command tool accessible via the debug route, where insufficient input validation allows malicious payloads to be injected into parameters, leading to arbitrary operating system command execution. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise despite requiring high privileges and elevated attack complexity.

An authenticated attacker with high-level privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) without user interaction (UI:N). By crafting and submitting malicious input to the affected Modbus command tool parameters in the debug route, the attacker achieves remote code execution (RCE) on the underlying system, potentially granting full control including data exfiltration, modification, or disruption (high impact on confidentiality, integrity, and availability with changed scope).

CISA's ICS Advisory ICSA-26-057-10 and the associated CSAF document detail mitigation strategies, while Copeland's Dixell software update page provides patches for remediation. Security practitioners should consult these resources—https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10, https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json, and https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate—for specific patching instructions, workaround guidance, and affected product details.