CVE-2026-3037
Published: 27 February 2026
Summary
CVE-2026-3037 is a high-severity OS Command Injection (CWE-78) vulnerability in Copeland Xweb 300D Pro Firmware. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation and sanitization of untrusted inputs like the MBird SMS service URL and utility route code.
Mandates timely flaw remediation, such as applying available software updates for XWEB Pro to eliminate the command injection vulnerability.
Enforces least privilege to limit high-privilege (PR:H) access to the vulnerable utility route, reducing the attack surface for authenticated exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection (CWE-78) in a network-accessible web application directly enables T1190 (Exploit Public-Facing Application) for initial remote access and T1059.004 (Unix Shell) for arbitrary command execution leading to RCE.
NVD Description
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the…
more
utility route which is later processed during system setup, leading to remote code execution.
Deeper analysisAI
CVE-2026-3037 is an OS command injection vulnerability (CWE-78) in XWEB Pro version 1.12.1 and prior. The issue allows malicious input injected into the MBird SMS service URL and/or code via the utility route, which is later processed during system setup, enabling remote code execution on the affected system. Published on 2026-02-27, it carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).
An authenticated attacker with high privileges (PR:H) can exploit this vulnerability remotely over the network (AV:N), though it requires high attack complexity (AC:H) and no user interaction (UI:N). Exploitation changes the scope (S:C) and achieves high impacts on confidentiality, integrity, and availability, culminating in full remote code execution on the host system.
CISA ICS Advisory ICSA-26-057-10 outlines mitigation guidance, with a corresponding CSAF document available on GitHub. Software updates addressing the vulnerability can be obtained via the Copeland Dixell System Software Update page.
Details
- CWE(s)