Xweb 500b Pro Firmware
Monthly
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the MBird SMS service URL parameters processed during system setup. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro models, with no patch currently available. Exploitation requires high privilege access but carries high impact due to complete system compromise potential.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the server username or password fields during restore operations via the API V1 endpoint. The vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges but could compromise the entire system. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into Wi-Fi SSID or password configuration fields. The vulnerability affects multiple Xweb Pro models (300d, 500b, 500d) and requires high privilege access to exploit, though successful exploitation grants complete system compromise across the network. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the Modbus command tool parameters accessible through the debug route. The vulnerability affects Xweb 300d Pro, 500d Pro, and 500b Pro devices, with a CVSS score of 8.0 indicating high severity. No patch is currently available for this command injection flaw.
Remote code execution in XWEB Pro firmware versions 1.12.1 and prior allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads through crafted LCD state configurations that are processed during system initialization. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges to exploit, though the impact extends across connected systems. No patch is currently available for this high-severity vulnerability (CVSS 8.0).
Remote code execution in Xweb Pro firmware (versions 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by uploading a malicious template file through the devices route. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro models, with no patch currently available. The high CVSS score of 8.0 reflects the severity of achieving code execution with administrative privileges on vulnerable devices.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier (affecting Xweb 500b Pro, 500d Pro, and 300d Pro models) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the server username field during the import preconfiguration API action. An attacker with administrative privileges can exploit this OS command injection vulnerability to gain complete system compromise. No patch is currently available for this vulnerability.
Unauthenticated attackers can exploit a stack buffer overflow in XWEB Pro firmware (versions 1.12.1 and earlier) through an unprotected API endpoint to corrupt memory and crash the affected device. This vulnerability impacts Xweb 500b Pro, 300d Pro, and 500d Pro models, causing denial of service with no authentication required. No patch is currently available for this issue.
Authenticated attackers can execute arbitrary OS commands on Xweb Pro devices (versions 1.12.1 and earlier across 300d, 500b, and 500d models) by injecting malicious payloads into the hostname configuration parameter during system setup. This command injection vulnerability grants remote code execution with high privileges on affected systems. No patch is currently available, requiring organizations to implement network access controls or disable affected devices until remediation is released.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by submitting a malicious firmware update file through the update mechanism. The vulnerability affects multiple XWEB Pro models (300d, 500d, and 500b) and requires high-level privileges to exploit. No patch is currently available for this high-severity command injection flaw (CVSS 8.0).
Remote code execution in XWEB Pro versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands via malicious input submitted to the restore functionality. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro firmware versions, with no patch currently available. An attacker with valid credentials could compromise the affected device and gain full system control.
Remote code execution in Xweb 300d Pro, 500d Pro, and 500b Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field in the setup route. An attacker with valid credentials can exploit this command injection vulnerability to gain complete system control. No patch is currently available for this vulnerability.
Copeland XWEB Pro firmware versions 1.12.1 and earlier suffer from an authentication bypass vulnerability where malformed authentication responses are incorrectly validated as legitimate, allowing unauthenticated remote attackers to gain unauthorized access. The flaw affects multiple XWEB Pro models (500d, 300d, and 500b) with a CVSS score of 8.6 indicating high severity, though no patch is currently available. An attacker exploiting this vulnerability could bypass security controls and potentially access sensitive device functionality without valid credentials.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary commands by injecting malicious input into OpenSSL parameter fields. An attacker with valid credentials can exploit this command injection vulnerability through the utility route to gain complete system compromise. No patch is currently available for affected XWEB 500b Pro and 300d Pro devices.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the devices field during firmware updates. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Unauthenticated OS command injection in Copeland XWEB Pro HVAC controller version 1.12.1 and prior. EPSS 0.96% indicates real exploitation risk for internet-exposed building automation systems.
Remote code execution in Xweb 300d/500b/500d Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the firmware update endpoint. The vulnerability stems from insufficient input validation in command processing and requires high privileges but affects the entire system scope. No patch is currently available for this HIGH severity issue.
Authentication bypass in Copeland XWEB Pro HVAC controller version 1.12.1 and prior due to weak cryptographic algorithm. CVSS 10.0 — any unauthenticated attacker can gain full system access to building automation controllers.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by submitting malicious input through the contacts import endpoint. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high-level privileges but can compromise the entire system. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field during firmware update operations. The vulnerability affects multiple Xweb Pro models (500d, 500b, and 300d) and requires high-level privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Remote code execution in Xweb 300d Pro, 500b Pro, and 500d Pro firmware (version 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the map filename field during file upload operations. An attacker with valid credentials can exploit this command injection flaw to gain full system control. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the templates route. Affected versions include Xweb 500d Pro, 300d Pro, and 500b Pro. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the MBird SMS service URL parameters processed during system setup. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro models, with no patch currently available. Exploitation requires high privilege access but carries high impact due to complete system compromise potential.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the server username or password fields during restore operations via the API V1 endpoint. The vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges but could compromise the entire system. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into Wi-Fi SSID or password configuration fields. The vulnerability affects multiple Xweb Pro models (300d, 500b, 500d) and requires high privilege access to exploit, though successful exploitation grants complete system compromise across the network. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the Modbus command tool parameters accessible through the debug route. The vulnerability affects Xweb 300d Pro, 500d Pro, and 500b Pro devices, with a CVSS score of 8.0 indicating high severity. No patch is currently available for this command injection flaw.
Remote code execution in XWEB Pro firmware versions 1.12.1 and prior allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads through crafted LCD state configurations that are processed during system initialization. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro devices and requires high-level privileges to exploit, though the impact extends across connected systems. No patch is currently available for this high-severity vulnerability (CVSS 8.0).
Remote code execution in Xweb Pro firmware (versions 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by uploading a malicious template file through the devices route. This vulnerability affects Xweb 300d Pro, 500b Pro, and 500d Pro models, with no patch currently available. The high CVSS score of 8.0 reflects the severity of achieving code execution with administrative privileges on vulnerable devices.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier (affecting Xweb 500b Pro, 500d Pro, and 300d Pro models) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the server username field during the import preconfiguration API action. An attacker with administrative privileges can exploit this OS command injection vulnerability to gain complete system compromise. No patch is currently available for this vulnerability.
Unauthenticated attackers can exploit a stack buffer overflow in XWEB Pro firmware (versions 1.12.1 and earlier) through an unprotected API endpoint to corrupt memory and crash the affected device. This vulnerability impacts Xweb 500b Pro, 300d Pro, and 500d Pro models, causing denial of service with no authentication required. No patch is currently available for this issue.
Authenticated attackers can execute arbitrary OS commands on Xweb Pro devices (versions 1.12.1 and earlier across 300d, 500b, and 500d models) by injecting malicious payloads into the hostname configuration parameter during system setup. This command injection vulnerability grants remote code execution with high privileges on affected systems. No patch is currently available, requiring organizations to implement network access controls or disable affected devices until remediation is released.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by submitting a malicious firmware update file through the update mechanism. The vulnerability affects multiple XWEB Pro models (300d, 500d, and 500b) and requires high-level privileges to exploit. No patch is currently available for this high-severity command injection flaw (CVSS 8.0).
Remote code execution in XWEB Pro versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands via malicious input submitted to the restore functionality. The vulnerability affects Xweb 500d Pro, 500b Pro, and 300d Pro firmware versions, with no patch currently available. An attacker with valid credentials could compromise the affected device and gain full system control.
Remote code execution in Xweb 300d Pro, 500d Pro, and 500b Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field in the setup route. An attacker with valid credentials can exploit this command injection vulnerability to gain complete system control. No patch is currently available for this vulnerability.
Copeland XWEB Pro firmware versions 1.12.1 and earlier suffer from an authentication bypass vulnerability where malformed authentication responses are incorrectly validated as legitimate, allowing unauthenticated remote attackers to gain unauthorized access. The flaw affects multiple XWEB Pro models (500d, 300d, and 500b) with a CVSS score of 8.6 indicating high severity, though no patch is currently available. An attacker exploiting this vulnerability could bypass security controls and potentially access sensitive device functionality without valid credentials.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary commands by injecting malicious input into OpenSSL parameter fields. An attacker with valid credentials can exploit this command injection vulnerability through the utility route to gain complete system compromise. No patch is currently available for affected XWEB 500b Pro and 300d Pro devices.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the devices field during firmware updates. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Unauthenticated OS command injection in Copeland XWEB Pro HVAC controller version 1.12.1 and prior. EPSS 0.96% indicates real exploitation risk for internet-exposed building automation systems.
Remote code execution in Xweb 300d/500b/500d Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input into the firmware update endpoint. The vulnerability stems from insufficient input validation in command processing and requires high privileges but affects the entire system scope. No patch is currently available for this HIGH severity issue.
Authentication bypass in Copeland XWEB Pro HVAC controller version 1.12.1 and prior due to weak cryptographic algorithm. CVSS 10.0 — any unauthenticated attacker can gain full system access to building automation controllers.
Remote code execution in XWEB Pro firmware (versions 1.12.1 and earlier) allows authenticated attackers to execute arbitrary OS commands by submitting malicious input through the contacts import endpoint. The vulnerability affects multiple Xweb Pro models (500d, 300d, and 500b) and requires high-level privileges but can compromise the entire system. No patch is currently available.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the devices field during firmware update operations. The vulnerability affects multiple Xweb Pro models (500d, 500b, and 300d) and requires high-level privileges to exploit, though it can impact the entire system. No patch is currently available for this HIGH severity issue.
Remote code execution in Xweb 300d Pro, 500b Pro, and 500d Pro firmware (version 1.12.1 and prior) allows authenticated attackers to execute arbitrary OS commands by injecting malicious payloads into the map filename field during file upload operations. An attacker with valid credentials can exploit this command injection flaw to gain full system control. No patch is currently available for this vulnerability.
Remote code execution in XWEB Pro firmware versions 1.12.1 and earlier allows authenticated attackers to execute arbitrary OS commands by injecting malicious input through the templates route. Affected versions include Xweb 500d Pro, 300d Pro, and 500b Pro. No patch is currently available for this vulnerability.