Unauthenticated OS command injection in Copeland XWEB Pro allows remote attackers to execute arbitrary commands, leading to complete system takeover.

The vulnerability exists in the libraries installation route. An unauthenticated attacker can send a crafted HTTP request with malicious input in the request body, which is then executed by the operating system.

This flaw allows for full Remote Code Execution (RCE) without any user credentials. In an industrial context, this can lead to the manipulation of temperature controls, disabling of alarms, and theft of operational data. The CVSS score of 9.0 highlights the severe risk to the availability and integrity of the affected systems.

Immediate Action: Upgrade to the latest version of XWEB Pro (v1.12.2 or higher) to remediate the command injection flaw.

Proactive Monitoring: Monitor web server logs for suspicious POST requests targeting the library installation routes and audit for new, unexpected processes.

Compensating Controls: Utilize a Web Application Firewall (WAF) to filter for command injection payloads (e.g., semicolons, backticks, pipes) in the request body.

Public Exploit Available: No

The ability to execute OS commands remotely and without authentication is a critical security failure. Administrators must apply the vendor-provided update immediately to protect their operational technology (OT) environment.