Cyber Resilience

CVE-2026-25085

High

Published: 27 February 2026

Published
27 February 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0046 36.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25085 is a high-severity Unexpected Status Code or Return Value (CWE-394) vulnerability in Copeland Xweb 500B Pro Firmware. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SI-11 (Error Handling).

Deeper analysis

CVE-2026-25085 is an authentication bypass vulnerability (CWE-394: Unexpected Return Value or Reference) in Copeland XWEB Pro version 1.12.1 and prior. The flaw occurs when an unexpected return value from the authentication routine is processed as a legitimate value, enabling attackers to circumvent authentication mechanisms without valid credentials.

The vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L), making it exploitable over the network by unauthenticated attackers with low attack complexity and no user interaction. Exploitation allows high-impact unauthorized access to confidential data, alongside low-impact modifications to integrity and availability.

CISA's ICS Advisory ICSA-26-057-10 and Copeland's system software update page provide mitigation details, including patch availability. Security practitioners should review these resources for update instructions and apply them promptly to affected systems.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, in which an unexpected return value from the authentication routine is later on processed as a legitimate value, resulting in an authentication bypass.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an authentication bypass in a public-facing web application (XWEB Pro), directly enabling remote exploitation without credentials, matching T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23702Same product: Copeland Xweb 300D Pro
CVE-2026-25111Same product: Copeland Xweb 300D Pro
CVE-2026-21718Same product: Copeland Xweb 300D Pro
CVE-2026-20902Same product: Copeland Xweb 300D Pro
CVE-2026-25195Same product: Copeland Xweb 300D Pro
CVE-2026-24517Same product: Copeland Xweb 300D Pro
CVE-2026-25196Same product: Copeland Xweb 300D Pro
CVE-2026-20910Same product: Copeland Xweb 300D Pro
CVE-2026-25109Same product: Copeland Xweb 300D Pro
CVE-2026-25721Same product: Copeland Xweb 300D Pro

Affected Assets

copeland
xweb 500b pro firmware
≤ 1.12.1
copeland
xweb 300d pro firmware
≤ 1.12.1
copeland
xweb 500d pro firmware
≤ 1.12.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of the specific authentication bypass flaw through timely patching of affected Copeland XWEB Pro versions.

prevent

Mandates proper error handling to prevent processing unexpected return values from authentication routines as legitimate, directly countering CWE-394 in this vulnerability.

prevent

Enforces robust identification and authentication mechanisms to mitigate authentication bypass vulnerabilities in system access controls.

References