Xweb 500D Pro Firmware

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is later processed during system setup, leading to remote code execution.

Published: 2026-02-27T01:06:42.223Z
Updated: 2026-02-27T19:09:35.935Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the server username and/or password fields of the restore action in the API V1 route.

Published: 2026-02-27T00:55:28.813Z
Updated: 2026-03-02T14:28:34.930Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the Wi-Fi SSID and/or password fields can lead to remote code execution when the configuration is processed.

Published: 2026-02-27T00:58:08.674Z
Updated: 2026-03-02T14:27:46.267Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted firmware update file via the firmware update route.

Published: 2026-02-27T00:45:04.949Z
Updated: 2026-03-02T14:30:03.420Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the restore route.

Published: 2026-02-27T00:40:37.734Z
Updated: 2026-03-02T18:44:08.313Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field when accessing the get setup route.

Published: 2026-02-27T00:48:41.531Z
Updated: 2026-06-04T21:22:07.283Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into parameters of the Modbus command tool in the debug route.

Published: 2026-02-27T00:52:21.154Z
Updated: 2026-03-02T12:47:45.130Z

A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, in which an unexpected return value from the authentication routine is later on processed as a legitimate value, resulting in an authentication bypass.

Published: 2026-02-27T00:33:06.657Z
Updated: 2026-03-02T18:58:50.355Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by configuring a maliciously crafted LCD state which is later processed during system setup, enabling remote code execution.

Published: 2026-02-27T00:59:14.738Z
Updated: 2026-03-02T14:27:22.123Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into OpenSSL argument fields within requests sent to the utility route, leading to remote code execution.

Published: 2026-02-27T00:51:01.649Z
Updated: 2026-03-02T12:46:09.608Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update apply action.

Published: 2026-02-27T00:47:26.332Z
Updated: 2026-03-03T01:26:47.111Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on the system by sending a crafted request to the libraries installation route and injecting malicious input into the request body.

Published: 2026-02-27T00:36:49.215Z
Updated: 2026-03-02T18:53:35.434Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the firmware update route.

Published: 2026-02-27T00:43:35.813Z
Updated: 2026-03-02T14:30:55.109Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted template file to the devices route.

Published: 2026-02-27T00:53:22.352Z
Updated: 2026-03-02T12:48:21.776Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in the API V1 route.

Published: 2026-02-27T00:54:21.133Z
Updated: 2026-03-02T14:28:55.341Z

An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to read arbitrary files on the system, and potentially causing a denial-of-service attack.

Published: 2026-02-27T01:01:25.949Z
Updated: 2026-03-02T14:26:42.805Z

An authentication bypass vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, enabling any attackers to bypass the authentication requirement and achieve pre-authenticated code execution on the system.

Published: 2026-02-27T00:34:55.895Z
Updated: 2026-03-02T18:58:23.373Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the request body sent to the contacts import route.

Published: 2026-02-27T00:38:51.109Z
Updated: 2026-03-02T18:47:21.796Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the devices field of the firmware update action to achieve remote code execution.

Published: 2026-02-27T00:46:14.644Z
Updated: 2026-06-04T21:23:35.378Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the map filename field during the map upload action of the parameters route.

Published: 2026-02-27T00:49:44.858Z
Updated: 2026-03-03T01:25:09.389Z

A stack based buffer overflow exists in an API route of XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to cause stack corruption and a termination of the program.

Published: 2026-02-27T01:03:18.783Z
Updated: 2026-05-10T13:30:10.603Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by providing malicious input via the device hostname configuration which is later processed during system setup, resulting in remote code execution.

Published: 2026-02-27T00:56:47.460Z
Updated: 2026-03-02T14:28:10.662Z

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into requests sent to the templates route.

Published: 2026-02-27T00:42:12.910Z
Updated: 2026-03-02T18:41:51.393Z