Copeland XWEB and XWEB Pro
Act Now10ICS-CERT ICSA-26-057-10Feb 26, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
XWEB Pro controllers contain multiple critical vulnerabilities in authentication, cryptography, input validation, path traversal, and memory handling (CWE-394, CWE-327, CWE-78, CWE-22, CWE-121). Successful exploitation allows an attacker to bypass authentication, execute arbitrary code, trigger denial-of-service conditions, and corrupt memory. The attack vector is the network-facing web interface, which accepts connections without authentication.
What this means
What could happen
An attacker could bypass authentication on the XWEB Pro controller, execute arbitrary code, crash the device, or corrupt memory—potentially stopping refrigeration or HVAC operations or altering temperature setpoints.
Who's at risk
Copeland XWEB 300D PRO, 500D PRO, and 500B PRO controllers are affected. These devices manage refrigeration, freezer, and HVAC systems in food retail, cold storage, supermarkets, and commercial/industrial cooling applications. Any facility using these controllers to monitor and control temperature-critical processes is at risk.
How it could be exploited
An attacker with network access to the XWEB Pro web interface can craft malicious requests that exploit multiple weaknesses in authentication, input validation, and memory handling. No credentials or user interaction are required; the attacker can directly inject code or trigger crashes over the network.
Prerequisites
- Network access to the XWEB Pro web interface (typically port 80/443)
- No authentication required
remotely exploitableno authentication requiredlow complexityaffects safety and process systemsno patch available for affected versions
Exploitability
Low exploit probability (EPSS 1.0%)
Affected products (3)
3 pending
ProductAffected VersionsFix Status
XWEB 300D PRO: <=1.12.1≤ 1.12.1No fix yet
XWEB 500D PRO: <=1.12.1≤ 1.12.1No fix yet
XWEB 500B PRO: <=1.12.1≤ 1.12.1No fix yet
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDRestrict network access to the XWEB Pro web interface using a firewall; only allow connections from trusted engineering workstations or management networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate XWEB Pro firmware to the latest version via https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate
HOTFIXIf XWEB Pro has internet access, use the built-in update feature (SYSTEM > Updates > Network) to apply firmware patches directly from Copeland servers
Long-term hardening
0/1HARDENINGSegment the XWEB Pro controller onto a separate network with limited external connectivity; require VPN or jump-host access for remote management
CVEs (23)
CVE-2026-25085CVE-2026-21718CVE-2026-24663CVE-2026-21389CVE-2026-25111CVE-2026-20742CVE-2026-24517CVE-2026-25195CVE-2026-20910CVE-2026-24689CVE-2026-25109CVE-2026-20902CVE-2026-24695CVE-2026-25105CVE-2026-24452CVE-2026-23702CVE-2026-25721CVE-2026-20764CVE-2026-25196CVE-2026-25037CVE-2026-22877CVE-2026-20797CVE-2026-3037
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1f2b8b2c-c172-4497-b1ba-b64b212a08aa