CVE-2026-3037

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 
and prior, enabling an authenticated attacker to achieve remote code 
execution on the system by modifying malicious input injected into the 
MBird SMS service URL and/or code via the utility route which is later 
processed during system setup, leading to remote code execution.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8 HIGH
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
icscertCNA
8 HIGH
NETWORK
HIGH
HIGH
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-057-10.json
https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate
https://www.cisa.gov/news-events/ics-advisories/icsa-26-057-10