Cyber Resilience

CVE-2026-24452

HighRCE

Published: 27 February 2026

Published
27 February 2026
Modified
27 February 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0190 77.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-24452 is a high-severity OS Command Injection (CWE-78) vulnerability in Copeland Xweb 300D Pro Firmware. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-24452 is an OS command injection vulnerability (CWE-78) affecting XWEB Pro version 1.12.1 and prior versions. The flaw resides in the devices route, where an attacker can supply a crafted template file to trigger command injection. Published on 2026-02-27, it carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity with network accessibility but requiring high privileges and complex preconditions.

An authenticated attacker with high privileges can exploit this vulnerability remotely by submitting a malicious template file via the devices route, leading to arbitrary OS command execution and full remote code execution (RCE) on the affected system. The scoped impact (S:C) amplifies the consequences, potentially allowing complete compromise of confidentiality, integrity, and availability.

CISA's ICS Advisory ICSA-26-057-10, detailed in the associated CSAF JSON file on GitHub, documents the vulnerability, while Copeland's Dixell software update page provides relevant patches or updates for mitigation. Security practitioners should consult these resources for specific remediation steps, such as upgrading to a patched version of XWEB Pro.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted template file to the devices route.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

OS command injection vulnerability enables arbitrary command execution via system interpreters (T1059) and exploitation of a remote web service for RCE (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25105Same product: Copeland Xweb 300D Pro
CVE-2026-20764Same product: Copeland Xweb 300D Pro
CVE-2026-24695Same product: Copeland Xweb 300D Pro
CVE-2026-24689Same product: Copeland Xweb 300D Pro
CVE-2026-25109Same product: Copeland Xweb 300D Pro
CVE-2026-20910Same product: Copeland Xweb 300D Pro
CVE-2026-24663Same product: Copeland Xweb 300D Pro
CVE-2026-21389Same product: Copeland Xweb 300D Pro
CVE-2026-20742Same product: Copeland Xweb 300D Pro
CVE-2026-25721Same product: Copeland Xweb 300D Pro

Affected Assets

copeland
xweb 300d pro firmware
≤ 1.12.1
copeland
xweb 500d pro firmware
≤ 1.12.1
copeland
xweb 500b pro firmware
≤ 1.12.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection by requiring validation of crafted template file inputs supplied to the devices route.

prevent

Mitigates the vulnerability through timely identification, reporting, and patching of the specific flaw in XWEB Pro as provided by the vendor.

prevent

Reduces exploitability by enforcing least privilege, limiting high-privilege access required for authenticated attackers to reach the vulnerable devices route.

References