Copeland Patches Critical Remote Code Execution Flaws in XWEB Monitoring Systems
Take action: If you are using Copeland XWEB Pro firmware, review this advisory in detail. Plan a very quick update since there's a bunch of flaws. Naturally, make sure these industrial devices are never directly exposed to the public internet and are always protected behind a secure VPN.
Learn More
CISA has released an advisory warning of 23 security vulnerabilities affecting Copeland's XWEB and XWEB Pro energy management platforms. Successful exploitation could allow attackers to bypass authentication, execute arbitrary code remotely, cause denial-of-service conditions, and trigger memory corruption.
Vulnerabilities summary:
- CVE-2026-21718 (CVSS score 10) — Authentication bypass via broken cryptographic algorithm enabling pre-authenticated remote code execution
- CVE-2026-24663 (CVSS score 9) — Unauthenticated OS command injection via the libraries installation route
- CVE-2026-25085 (CVSS score 8.6) — Authentication bypass through unexpected return value handling
- CVE-2026-21389 (CVSS score 8) — Authenticated OS command injection via the contacts import route
- CVE-2026-25111 (CVSS score 8) — Authenticated OS command injection via the restore route
- CVE-2026-20742 (CVSS score 8) — Authenticated OS command injection via the templates route
- CVE-2026-24517 (CVSS score 8) — Authenticated OS command injection via the firmware update route
- CVE-2026-25195 (CVSS score 8) — Authenticated OS command injection via a crafted firmware update file
- CVE-2026-20910 (CVSS score 8) — Authenticated OS command injection via the firmware update action devices field
- CVE-2026-24689 (CVSS score 8) — Authenticated OS command injection via the firmware update apply action
- CVE-2026-25109 (CVSS score 8) — Authenticated OS command injection via the get setup route devices field
- CVE-2026-20902 (CVSS score 8) — Authenticated OS command injection via the map filename field in the parameters route
- CVE-2026-24695 (CVSS score 8) — Authenticated OS command injection via OpenSSL argument fields in the utility route
- CVE-2026-25105 (CVSS score 8) — Authenticated OS command injection via Modbus command tool parameters in the debug route
- CVE-2026-24452 (CVSS score 8) — Authenticated OS command injection via a crafted template file in the devices route
- CVE-2026-23702 (CVSS score 8) — Authenticated OS command injection via the server username field in the API V1 import preconfiguration route
- CVE-2026-25721 (CVSS score 8) — Authenticated OS command injection via server credential fields in the API V1 restore action
- CVE-2026-20764 (CVSS score 8) — Authenticated OS command injection via malicious device hostname configuration
- CVE-2026-25196 (CVSS score 8) — Authenticated OS command injection via Wi-Fi SSID and password fields
- CVE-2026-25037 (CVSS score 8) — Authenticated OS command injection via a crafted LCD state configuration
- CVE-2026-3037 (CVSS score 8) — Authenticated OS command injection via the MBird SMS service URL in the utility route
- CVE-2026-20797 (CVSS score 4.3) — Unauthenticated stack-based buffer overflow enabling denial-of-service via API route
- CVE-2026-22877 (CVSS score 3.7) — Unauthenticated arbitrary file read via path traversal, with potential denial-of-service impact
All three affected product lines XWEB 300D PRO, XWEB 500D PRO, and XWEB 500B PRO running firmware version 1.12.1 and earlier are vulnerable.
Copeland has issued a patch and strongly recommends that all users update their XWEB Pro devices to the latest firmware version immediately. Updates can be applied by visiting Copeland's software update portal and navigating to the section for the relevant XWEB Pro model. Alternatively, for devices with active internet connectivity, updates can be pushed directly from Copeland's servers via the device menu under SYSTEM > Updates | Network.
