CVE-2026-25721
Published: 27 February 2026
Description
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Security Summary
CVE-2026-25721 is an OS command injection vulnerability (CWE-78) in XWEB Pro version 1.12.1 and prior. The flaw resides in the API V1 route's restore action, where malicious input can be injected into the server username and/or password fields, published on 2026-02-27 with a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
An authenticated attacker with high privileges (PR:H) can exploit this vulnerability over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation enables remote code execution (RCE) on the affected system, resulting in high impacts to confidentiality, integrity, and availability, with a changed scope (S:C).
Mitigation guidance is available in CISA ICS Advisory ICSA-26-057-10, the associated CSAF document at https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json, and the vendor's system software update page at https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
OS command injection in web API restore action enables exploitation of public-facing application (T1190) for remote code execution via command and scripting interpreter (T1059).