CVE-2026-3037

{"id": "CVE-2026-3037", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "ics-cert@hq.dhs.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.0, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-02-27T02:16:20.330", "references": [{"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json", "tags": ["Third Party Advisory"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate", "tags": ["Product"], "source": "ics-cert@hq.dhs.gov"}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10", "tags": ["Third Party Advisory", "US Government Resource"], "source": "ics-cert@hq.dhs.gov"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "ics-cert@hq.dhs.gov", "description": [{"lang": "en", "value": "CWE-78"}]}], "descriptions": [{"lang": "en", "value": "An OS command injection vulnerability exists in XWEB Pro version 1.12.1 \nand prior, enabling an authenticated attacker to achieve remote code \nexecution on the system by modifying malicious input injected into the \nMBird SMS service URL and/or code via the utility route which is later \nprocessed during system setup, leading to remote code execution."}, {"lang": "es", "value": "Una vulnerabilidad de inyecci\u00f3n de comandos del sistema operativo (OS) existe en XWEB Pro versi\u00f3n 1.12.1 y anteriores, lo que permite a un atacante autenticado lograr la ejecuci\u00f3n remota de c\u00f3digo en el sistema al modificar una entrada maliciosa inyectada en la URL del servicio SMS de MBird y/o en el c\u00f3digo a trav\u00e9s de la ruta de utilidad, que luego se procesa durante la configuraci\u00f3n del sistema, lo que lleva a la ejecuci\u00f3n remota de c\u00f3digo."}], "lastModified": "2026-02-28T01:13:53.703", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:copeland:xweb_300d_pro_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF93AA67-7ABF-45C8-8376-7A28F7D65464", "versionEndIncluding": "1.12.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:copeland:xweb_300d_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "AEA10B9B-531A-4775-B32D-AC743D696126"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:copeland:xweb_500d_pro_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "088F312E-06DF-4B90-A478-A6B5A39DE0F0", "versionEndIncluding": "1.12.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:copeland:xweb_500d_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "A524988E-E22F-4B0F-AEE6-46B3F103989C"}], "operator": "OR"}], "operator": "AND"}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:copeland:xweb_500b_pro_firmware:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E13AD164-C82A-4D6C-84C0-83EB8B0A611C", "versionEndIncluding": "1.12.1"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:h:copeland:xweb_500b_pro:-:*:*:*:*:*:*:*", "vulnerable": false, "matchCriteriaId": "1707F67B-6365-4065-812C-7CC596C6CFF1"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "ics-cert@hq.dhs.gov"}