CVE-2026-20764
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2Description
An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by providing malicious input via the device hostname configuration which is later processed during system setup, resulting in remote code execution.
Analysis
Authenticated attackers can execute arbitrary OS commands on Xweb Pro devices (versions 1.12.1 and earlier across 300d, 500b, and 500d models) by injecting malicious payloads into the hostname configuration parameter during system setup. This command injection vulnerability grants remote code execution with high privileges on affected systems. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all XWEB Pro installations and their versions; restrict administrative access to affected systems to essential personnel only. Within 7 days: Implement network segmentation to isolate XWEB Pro systems; enable enhanced logging and monitoring for hostname configuration changes; evaluate upgrading to versions beyond 1.12.1 if available. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today