CVE-2026-25105
Published: 27 February 2026
Summary
CVE-2026-25105 is a high-severity OS Command Injection (CWE-78) vulnerability in Copeland Xweb 300D Pro Firmware. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the OS command injection by requiring comprehensive input validation on Modbus command tool parameters in the debug route.
Mitigates the vulnerability through identification, reporting, and timely remediation of the specific flaw via vendor patches.
Prevents exploitation by restricting or disabling non-essential capabilities like the debug route Modbus command tool.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection in a network-accessible debug route enables exploitation of remote services (T1210) for arbitrary command execution via the OS command interpreter (T1059).
NVD Description
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into parameters of the Modbus command tool in the debug route.
Deeper analysisAI
CVE-2026-25105 is an OS command injection vulnerability (CWE-78) affecting XWEB Pro version 1.12.1 and prior. The flaw resides in the Modbus command tool accessible via the debug route, where insufficient input validation allows malicious payloads to be injected into parameters, leading to arbitrary operating system command execution. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise despite requiring high privileges and elevated attack complexity.
An authenticated attacker with high-level privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N) without user interaction (UI:N). By crafting and submitting malicious input to the affected Modbus command tool parameters in the debug route, the attacker achieves remote code execution (RCE) on the underlying system, potentially granting full control including data exfiltration, modification, or disruption (high impact on confidentiality, integrity, and availability with changed scope).
CISA's ICS Advisory ICSA-26-057-10 and the associated CSAF document detail mitigation strategies, while Copeland's Dixell software update page provides patches for remediation. Security practitioners should consult these resources—https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10, https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json, and https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate—for specific patching instructions, workaround guidance, and affected product details.
Details
- CWE(s)