Copeland XWEB Pro OS Command Injection Vulnerability Allowing Remote Code Execution
Vulnerability
A vulnerability allowing OS command injection has been identified in Copeland XWEB Pro versions through 1.12.1. This vulnerability enables authenticated attackers to execute remote code on the system by injecting malicious input into OpenSSL argument fields within requests sent to the utility route. The injected code is processed during system setup, leading to unauthorized code execution.
Impact
Exploitation of this vulnerability could allow an authenticated attacker to bypass authentication and execute arbitrary code on the affected system, according to CISA.
Remediation
Copeland has released a patch for this vulnerability. Users are advised to update XWEB Pro to the latest version available. Instructions for updating can be found on the Copeland XWEB Pro System Software Updates page. Alternatively, users can update XWEB Pro directly from Copeland servers via the SYSTEM -- Updates | Network menu.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.