CVE-2026-25721 is an OS command injection vulnerability classified under CWE-78 affecting Copeland XWEB 300D PRO devices running version 1.12.1 and earlier. The flaw exists in the handling of the restore action within the API V1 route, specifically in the processing of server username and password fields. An attacker with authenticated access and high privileges can inject malicious OS commands through these fields, which the system executes, leading to remote code execution (RCE). The vulnerability has a CVSS 3.1 base score of 8.0, indicating high severity, with attack vector network-based, attack complexity high, privileges required high, no user interaction, and scope changed. This means the attacker must have authenticated access with elevated privileges, but once exploited, can compromise the confidentiality, integrity, and availability of the device and potentially the broader network it controls. The vulnerability is particularly critical in industrial control environments where XWEB 300D PRO devices are deployed, as successful exploitation could disrupt operations or cause safety hazards. No public exploits or patches are currently available, increasing the urgency for organizations to implement compensating controls and monitor for suspicious activity. The vulnerability was reserved and published in February 2026 by ICS-CERT, highlighting its relevance to industrial cybersecurity.

The vulnerability enables remote code execution on critical industrial control devices, potentially allowing attackers to take full control of affected systems. This can lead to unauthorized disclosure of sensitive operational data, manipulation or destruction of system functions, and disruption of industrial processes. The impact extends beyond the device to the operational technology (OT) environment, risking safety incidents, production downtime, and financial losses. Given the high privileges required, exploitation is limited to insiders or attackers who have already breached initial defenses, but the consequences of a successful attack are severe. The lack of patches and known exploits in the wild means organizations may be vulnerable for an extended period, increasing risk exposure. The vulnerability could also be leveraged as a foothold for lateral movement within critical infrastructure networks, amplifying its impact. Overall, the threat poses a significant risk to industrial sectors relying on Copeland XWEB 300D PRO devices, including manufacturing, energy, and utilities.

1. Immediately restrict access to the API V1 restore action interface to trusted and authenticated users only, employing network segmentation and strict access controls. 2. Implement multi-factor authentication (MFA) for all users with high privileges to reduce the risk of credential compromise. 3. Monitor logs and network traffic for unusual activity related to the restore API calls, especially anomalous inputs in username and password fields. 4. Employ application-layer firewalls or intrusion detection/prevention systems (IDS/IPS) with rules targeting command injection patterns specific to this vulnerability. 5. Disable or limit the use of the restore action API if it is not essential to operations until a vendor patch is available. 6. Conduct regular security audits and penetration testing focused on authentication mechanisms and input validation in the affected devices. 7. Coordinate with Copeland for timely updates and patches and plan for rapid deployment once available. 8. Educate operational staff about the risks of credential sharing and phishing attacks that could lead to privilege escalation. 9. Consider deploying endpoint detection and response (EDR) solutions capable of detecting suspicious command execution on these devices. 10. Maintain an incident response plan tailored to industrial control system compromises to quickly contain and remediate any exploitation.