Posts Page - CloudCentric

CVE-2026-26288

WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.

Affected Products

Everon OCPP Backends

Vendor:
Everon

Product Version:
Everon api.everon.io: vers:all/*

Product Status:
known_affected

Remediations

Mitigation
Everon has shut down their platform on December 1st, 2025.

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9.4	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE-2026-24696

The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.

Affected Products

Everon OCPP Backends

Vendor:
Everon

Product Version:
Everon api.everon.io: vers:all/*

Product Status:
known_affected

Remediations

Mitigation
Everon has shut down their platform on December 1st, 2025.

Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2026-20748

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.

Affected Products

Everon OCPP Backends

Vendor:
Everon

Product Version:
Everon api.everon.io: vers:all/*

Product Status:
known_affected

Remediations

Mitigation
Everon has shut down their platform on December 1st, 2025.

Relevant CWE: CWE-613 Insufficient Session Expiration

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2026-27027

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Affected Products

Everon OCPP Backends

Vendor:
Everon

Product Version:
Everon api.everon.io: vers:all/*

Product Status:
known_affected

Remediations

Mitigation
Everon has shut down their platform on December 1st, 2025.

Relevant CWE: CWE-522 Insufficiently Protected Credentials

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Acknowledgments

Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Revision History

Initial Release Date: 2026-03-03

Date	Revision	Summary
2026-03-03	1	Initial Publication

Legal Notice and Terms of Use

Johnson Controls, Inc. Frick Controls Quantum HD

Written by Admin @CloudCentric on February 26, 2026. Posted in CISA-Published Industrial Control System Vulnerabilities.

Summary

Successful exploitation of these vulnerabilities can lead to pre-authentication remote code execution, information leak or denial of service.

The following versions of Johnson Controls, Inc. Frick Controls Quantum HD are affected:

Frick Controls Quantum HD <=10.22 (CVE-2026-21654, CVE-2026-21656, CVE-2026-21657, CVE-2026-21658, CVE-2026-21659, CVE-2026-21660)

CVSS	Vendor	Equipment	Vulnerabilities
v3 9.1	Johnson Controls, Inc.	Johnson Controls, Inc. Frick Controls Quantum HD	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Improper Control of Generation of Code (‘Code Injection’), Relative Path Traversal, Plaintext Storage of a Password

Background

Critical Infrastructure Sectors: Food and Agriculture
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Ireland

Vulnerabilities

CVE-2026-21654

The Frick Controls Quantum HD is vulnerable due to insufficient validation of input in certain parameters that may permit unexpected actions, which could impact the security of the device before authentication occurs.

Affected Products

Johnson Controls, Inc. Frick Controls Quantum HD

Vendor:
Johnson Controls, Inc.

Product Version:
Johnson Controls, Inc. Frick Controls Quantum HD: <=10.22

Product Status:
known_affected

Remediations

Vendor fix
The Frick Controls Quantum HD, versions 10.22 through 11, are legacy platforms that have reached end of support. Johnson Controls, Inc. recommends upgrading to the latest platform, Quantum HD Unity, version 12 or higher. The update procedure can be found here (https://frickcontrolsblob.file.core.windows.net/frickweb1/Quantum-HD-Unity/Quantum_HD_Unity_Software_Update_Procedure.pdf?sv=2018-03-28&si=frickweb1-174C1294FA7&sr=f&sig=us0dhk6IWmCvmDvBs02yJvC%2BjnzbxqZmb4QEpVVDkxY%3D).

Mitigation
After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.

Mitigation
For more detailed mitigation instructions, please see Johnson Controls Product Security Advisory JCI-PSA-2026-05 at https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE-2026-21656

Affected Products

Johnson Controls, Inc. Frick Controls Quantum HD

Vendor:
Johnson Controls, Inc.

Product Version:
Johnson Controls, Inc. Frick Controls Quantum HD: <=10.22

Product Status:
known_affected

Remediations

Mitigation
After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.

Relevant CWE: CWE-94 Improper Control of Generation of Code (‘Code Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE-2026-21657

Affected Products

Johnson Controls, Inc. Frick Controls Quantum HD

Vendor:
Johnson Controls, Inc.

Product Version:
Johnson Controls, Inc. Frick Controls Quantum HD: <=10.22

Product Status:
known_affected

Remediations

Mitigation
After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.

Relevant CWE: CWE-94 Improper Control of Generation of Code (‘Code Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE-2026-21658

Affected Products

Johnson Controls, Inc. Frick Controls Quantum HD

Vendor:
Johnson Controls, Inc.

Product Version:
Johnson Controls, Inc. Frick Controls Quantum HD: <=10.22

Product Status:
known_affected

Remediations

Mitigation
After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.

Relevant CWE: CWE-94 Improper Control of Generation of Code (‘Code Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9.1	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

CVE-2026-21659

The Frick Controls Quantum HD contains a vulnerability that allows an unauthenticated attacker to execute arbitrary code on the affected device, leading to full system compromise.

Affected Products

Johnson Controls, Inc. Frick Controls Quantum HD

Vendor:
Johnson Controls, Inc.

Product Version:
Johnson Controls, Inc. Frick Controls Quantum HD: <=10.22

Product Status:
known_affected

Remediations

Mitigation
After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.

Relevant CWE: CWE-23 Relative Path Traversal

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE-2026-21660

Hardcoded credentials in the Frick Controls Quantum HD create a vulnerability that leads to unauthorized access, exposure of sensitive information, and potential misuse or system compromise.

Affected Products

Johnson Controls, Inc. Frick Controls Quantum HD

Vendor:
Johnson Controls, Inc.

Product Version:
Johnson Controls, Inc. Frick Controls Quantum HD: <=10.22

Product Status:
known_affected

Remediations

Mitigation
After completing the upgrade to version 12, verify full compliance with the hardening guide and apply all recommended security configurations.

Relevant CWE: CWE-256 Plaintext Storage of a Password

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	6.2	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Acknowledgments

Noam Moshe of Claroty Research Team 82 reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Revision History

Initial Release Date: 2026-02-26

Date	Revision	Summary
2026-02-26	1	Initial Publication

Legal Notice and Terms of Use

Pelco, Inc. Sarix Pro 3 Series IP Cameras

Written by Admin @CloudCentric on February 26, 2026. Posted in CISA-Published Industrial Control System Vulnerabilities.

Summary

Successful exploitation of this vulnerability could allow attackers to gain unauthorized access to sensitive device data, bypass surveillance controls, and expose facilities to privacy breaches, operational risks, and regulatory compliance issues.

The following versions of Pelco, Inc. Sarix Pro 3 Series IP Cameras are affected:

Sarix Professional IMP 3 Series <=02.52 (CVE-2026-1241)
Sarix Professional IXP 3 Series <=02.52 (CVE-2026-1241)
Sarix Professional IBP 3 Series <=02.52 (CVE-2026-1241)
Sarix Professional IWP 3 Series <=02.52 (CVE-2026-1241)

CVSS	Vendor	Equipment	Vulnerabilities
v3 7.5	Pelco, Inc.	Pelco, Inc. Sarix Pro 3 Series IP Cameras	Authentication Bypass Using an Alternate Path or Channel

Background

Critical Infrastructure Sectors: Commercial Facilities, Defense Industrial Base, Energy, Government Services and Facilities, Healthcare and Public Health, Transportation Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United States

Vulnerabilities

CVE-2026-1241

The Pelco, Inc. Sarix Professional 3 Series Cameras are vulnerable to an authentication bypass issue in their web management interface. The flaw stems from inadequate enforcement of access controls, allowing certain functionality to be accessed without proper authentication. This weakness can lead to unauthorized viewing of live video streams, creating privacy concerns and operational risks for organizations relying on these cameras. Additionally, it may expose operators to regulatory and compliance challenges.

Affected Products

Pelco, Inc. Sarix Pro 3 Series IP Cameras

Vendor:
Pelco, Inc.

Product Version:
Pelco, Inc. Sarix Professional IMP 3 Series: <=02.52, Pelco, Inc. Sarix Professional IXP 3 Series: <=02.52, Pelco, Inc. Sarix Professional IBP 3 Series: <=02.52, Pelco, Inc. Sarix Professional IWP 3 Series: <=02.52

Product Status:
known_affected

Remediations

Mitigation
Pelco, Inc. recommends that all Sarix Professional 3 Series Camera users update their camera firmware to version 02.53 or later. Installing the latest firmware ensures your device receives the most up-to-date bug fixes and critical security enhancements.

Mitigation
More information can be found by visiting Pelco, Inc’s technical support page (https://www.pelco.com/support) for assistance.

Relevant CWE: CWE-288 Authentication Bypass Using an Alternate Path or Channel

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Acknowledgments

Souvik Kandar reported this vulnerability to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

Revision History

Initial Release Date: 2026-02-26

Date	Revision	Summary
2026-02-26	1	Initial Publication

Legal Notice and Terms of Use

CloudCharge cloudcharge.se

Written by Admin @CloudCentric on February 26, 2026. Posted in CISA-Published Industrial Control System Vulnerabilities.

Summary

Successful exploitation of these vulnerabilities could allow attackers to impersonate charging stations, hijack sessions, suppress or misroute legitimate traffic to cause large-scale denial of service, and manipulate data sent to the backend.

The following versions of CloudCharge cloudcharge.se are affected:

cloudcharge.se vers:all/* (CVE-2026-20781, CVE-2026-25114, CVE-2026-27652, CVE-2026-20733)

CVSS	Vendor	Equipment	Vulnerabilities
v3 9.4	CloudCharge	CloudCharge cloudcharge.se	Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials

Background

Critical Infrastructure Sectors: Energy, Transportation Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Sweden

Vulnerabilities

CVE-2026-20781

Affected Products

CloudCharge cloudcharge.se

Vendor:
CloudCharge

Product Version:
CloudCharge cloudcharge.se: vers:all/*

Product Status:
known_affected

Remediations

Mitigation
CloudCharge did not respond to CISA’s request for coordination. Contact CloudCharge using their contact page here: https://cloudcharge.tech/support/contact/ for more information.

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9.4	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE-2026-25114

Affected Products

CloudCharge cloudcharge.se

Vendor:
CloudCharge

Product Version:
CloudCharge cloudcharge.se: vers:all/*

Product Status:
known_affected

Remediations

Mitigation
CloudCharge did not respond to CISA’s request for coordination. Contact CloudCharge using their contact page here: https://cloudcharge.tech/support/contact/ for more information.

Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2026-27652

Affected Products

CloudCharge cloudcharge.se

Vendor:
CloudCharge

Product Version:
CloudCharge cloudcharge.se: vers:all/*

Product Status:
known_affected

Remediations

Mitigation
CloudCharge did not respond to CISA’s request for coordination. Contact CloudCharge using their contact page here: https://cloudcharge.tech/support/contact/ for more information.

Relevant CWE: CWE-613 Insufficient Session Expiration

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2026-20733

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Affected Products

CloudCharge cloudcharge.se

Vendor:
CloudCharge

Product Version:
CloudCharge cloudcharge.se: vers:all/*

Product Status:
known_affected

Remediations

Mitigation
CloudCharge did not respond to CISA’s request for coordination. Contact CloudCharge using their contact page here: https://cloudcharge.tech/support/contact/ for more information.

Relevant CWE: CWE-522 Insufficiently Protected Credentials

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Acknowledgments

Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Revision History

Initial Release Date: 2026-02-26

Date	Revision	Summary
2026-02-26	1	Initial Publication

Legal Notice and Terms of Use

EV2GO ev2go.io

Written by Admin @CloudCentric on February 26, 2026. Posted in CISA-Published Industrial Control System Vulnerabilities.

Summary

The following versions of EV2GO ev2go.io are affected:

ev2go.io vers:all/* (CVE-2026-24731, CVE-2026-25945, CVE-2026-20895, CVE-2026-22890)

CVSS	Vendor	Equipment	Vulnerabilities
v3 9.4	EV2GO	EV2GO ev2go.io	Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials

Background

Critical Infrastructure Sectors: Energy, Transportation Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United Kingdom

Vulnerabilities

CVE-2026-24731

Affected Products

EV2GO ev2go.io

Vendor:
EV2GO

Product Version:
EV2GO ev2go.io: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
EV2GO did not respond to CISA’s request for coordination. Contact EV2GO using their contact page here: https://ev2go.io/ for more information.

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9.4	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE-2026-25945

Affected Products

EV2GO ev2go.io

Vendor:
EV2GO

Product Version:
EV2GO ev2go.io: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
EV2GO did not respond to CISA’s request for coordination. Contact EV2GO using their contact page here: https://ev2go.io/ for more information.

Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2026-20895

Affected Products

EV2GO ev2go.io

Vendor:
EV2GO

Product Version:
EV2GO ev2go.io: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
EV2GO did not respond to CISA’s request for coordination. Contact EV2GO using their contact page here: https://ev2go.io/ for more information.

Relevant CWE: CWE-613 Insufficient Session Expiration

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2026-22890

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Affected Products

EV2GO ev2go.io

Vendor:
EV2GO

Product Version:
EV2GO ev2go.io: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
EV2GO did not respond to CISA’s request for coordination. Contact EV2GO using their contact page here: https://ev2go.io/ for more information.

Relevant CWE: CWE-522 Insufficiently Protected Credentials

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Acknowledgments

Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Revision History

Initial Release Date: 2026-02-26

Date	Revision	Summary
2026-02-26	1	Initial Publication

Legal Notice and Terms of Use

SWITCH EV swtchenergy.com

Written by Admin @CloudCentric on February 26, 2026. Posted in CISA-Published Industrial Control System Vulnerabilities.

Summary

The following versions of SWITCH EV swtchenergy.com are affected:

swtchenergy.com vers:all/* (CVE-2026-27767, CVE-2026-25113, CVE-2026-25778, CVE-2026-27773)

CVSS	Vendor	Equipment	Vulnerabilities
v3 9.4	SWITCH EV	SWITCH EV swtchenergy.com	Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials

Background

Critical Infrastructure Sectors: Energy, Transportation Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United States

Vulnerabilities

CVE-2026-27767

Affected Products

SWITCH EV swtchenergy.com

Vendor:
SWITCH EV

Product Version:
SWITCH EV swtchenergy.com: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
SWITCH EV did not respond to CISA’s request for coordination. Contact SWITCH EV using their contact page here: https://swtchenergy.com/contact/ for more information.

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9.4	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE-2026-25113

Affected Products

SWITCH EV swtchenergy.com

Vendor:
SWITCH EV

Product Version:
SWITCH EV swtchenergy.com: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
SWITCH EV did not respond to CISA’s request for coordination. Contact SWITCH EV using their contact page here: https://swtchenergy.com/contact/ for more information.

Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2026-25778

Affected Products

SWITCH EV swtchenergy.com

Vendor:
SWITCH EV

Product Version:
SWITCH EV swtchenergy.com: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
SWITCH EV did not respond to CISA’s request for coordination. Contact SWITCH EV using their contact page here: https://swtchenergy.com/contact/ for more information.

Relevant CWE: CWE-613 Insufficient Session Expiration

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2026-27773

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Affected Products

SWITCH EV swtchenergy.com

Vendor:
SWITCH EV

Product Version:
SWITCH EV swtchenergy.com: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
SWITCH EV did not respond to CISA’s request for coordination. Contact SWITCH EV using their contact page here: https://swtchenergy.com/contact/ for more information.

Relevant CWE: CWE-522 Insufficiently Protected Credentials

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Acknowledgments

Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Revision History

Initial Release Date: 2026-02-26

Date	Revision	Summary
2026-02-26	1	Initial Publication

Legal Notice and Terms of Use

EV Energy ev.energy

Written by Admin @CloudCentric on February 26, 2026. Posted in CISA-Published Industrial Control System Vulnerabilities.

Summary

The following versions of EV Energy ev.energy are affected:

ev.energy vers:all/* (CVE-2026-27772, CVE-2026-24445, CVE-2026-26290, CVE-2026-25774)

CVSS	Vendor	Equipment	Vulnerabilities
v3 9.4	EV Energy	EV Energy ev.energy	Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials

Background

Critical Infrastructure Sectors: Energy, Transportation Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United Kingdom

Vulnerabilities

CVE-2026-27772

Affected Products

EV Energy ev.energy

Vendor:
EV Energy

Product Version:
EV Energy ev.energy: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
EV Energy did not respond to CISA’s request for coordination. Contact EV Energy using their contact page here: https://www.ev.energy/en-us for more information.

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9.4	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE-2026-24445

Affected Products

EV Energy ev.energy

Vendor:
EV Energy

Product Version:
EV Energy ev.energy: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
EV Energy did not respond to CISA’s request for coordination. Contact EV Energy using their contact page here: https://www.ev.energy/en-us for more information.

Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2026-26290

Affected Products

EV Energy ev.energy

Vendor:
EV Energy

Product Version:
EV Energy ev.energy: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
EV Energy did not respond to CISA’s request for coordination. Contact EV Energy using their contact page here: https://www.ev.energy/en-us for more information.

Relevant CWE: CWE-613 Insufficient Session Expiration

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2026-25774

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Affected Products

EV Energy ev.energy

Vendor:
EV Energy

Product Version:
EV Energy ev.energy: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
EV Energy did not respond to CISA’s request for coordination. Contact EV Energy using their contact page here: https://www.ev.energy/en-us for more information.

Relevant CWE: CWE-522 Insufficiently Protected Credentials

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Acknowledgments

Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Revision History

Initial Release Date: 2026-02-26

Date	Revision	Summary
2026-02-26	1	Initial Publication

Legal Notice and Terms of Use

Mobility46 mobility46.se

Written by Admin @CloudCentric on February 26, 2026. Posted in CISA-Published Industrial Control System Vulnerabilities.

Summary

The following versions of Mobility46 mobility46.se are affected:

mobility46.se vers:all/* (CVE-2026-27028, CVE-2026-26305, CVE-2026-27647, CVE-2026-22878)

CVSS	Vendor	Equipment	Vulnerabilities
v3 9.4	Mobility46	Mobility46 mobility46.se	Missing Authentication for Critical Function, Improper Restriction of Excessive Authentication Attempts, Insufficient Session Expiration, Insufficiently Protected Credentials

Background

Critical Infrastructure Sectors: Energy, Transportation Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Sweden

Vulnerabilities

CVE-2026-27028

Affected Products

Mobility46 mobility46.se

Vendor:
Mobility46

Product Version:
Mobility46 mobility46.se: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
Mobility46 did not respond to CISA’s request for coordination. Contact Mobility46 using their contact page here: https://www.mobility46.se/en/contact-us for more information.

Relevant CWE: CWE-306 Missing Authentication for Critical Function

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9.4	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CVE-2026-26305

Affected Products

Mobility46 mobility46.se

Vendor:
Mobility46

Product Version:
Mobility46 mobility46.se: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
Mobility46 did not respond to CISA’s request for coordination. Contact Mobility46 using their contact page here: https://www.mobility46.se/en/contact-us for more information.

Relevant CWE: CWE-307 Improper Restriction of Excessive Authentication Attempts

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2026-27647

Affected Products

Mobility46 mobility46.se

Vendor:
Mobility46

Product Version:
Mobility46 mobility46.se: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
Mobility46 did not respond to CISA’s request for coordination. Contact Mobility46 using their contact page here: https://www.mobility46.se/en/contact-us for more information.

Relevant CWE: CWE-613 Insufficient Session Expiration

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	7.3	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVE-2026-22878

Charging station authentication identifiers are publicly accessible via web-based mapping platforms.

Affected Products

Mobility46 mobility46.se

Vendor:
Mobility46

Product Version:
Mobility46 mobility46.se: vers:all/*

Product Status:
known_affected

Remediations

Vendor fix
Mobility46 did not respond to CISA’s request for coordination. Contact Mobility46 using their contact page here: https://www.mobility46.se/en/contact-us for more information.

Relevant CWE: CWE-522 Insufficiently Protected Credentials

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Acknowledgments

Khaled Sarieddine and Mohammad Ali Sayed reported these vulnerabilities to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time.

Revision History

Initial Release Date: 2026-02-26

Date	Revision	Summary
2026-02-26	1	Initial Publication

Legal Notice and Terms of Use

Yokogawa CENTUM VP R6, R7

Written by Admin @CloudCentric on February 26, 2026. Posted in CISA-Published Industrial Control System Vulnerabilities.

Summary

Successful exploitation of these vulnerabilities could allow an attacker to terminate the software stack process, cause a denial-of-service condition, or execute arbitrary code.

The following versions of Yokogawa CENTUM VP R6, R7 are affected:

Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300) <=R1.07.00 (CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, CVE-2025-48023)
Vnet/IP Interface Package for CENTUM VP R7 (VP7C3300) <=R1.07.00 (CVE-2025-1924, CVE-2025-48019, CVE-2025-48020, CVE-2025-48021, CVE-2025-48022, CVE-2025-48023)

CVSS	Vendor	Equipment	Vulnerabilities
v3 6.9	Yokogawa	Yokogawa CENTUM VP R6, R7	Out-of-bounds Write, Reachable Assertion, Integer Underflow (Wrap or Wraparound), Improper Handling of Length Parameter Inconsistency

Background

Critical Infrastructure Sectors: Critical Manufacturing, Energy, Food and Agriculture
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Japan

Vulnerabilities

CVE-2025-1924

If the affected product receives maliciously crafted packets, a DoS attack may cause Vnet/IP communication functions to stop or arbitrary programs to be executed.

Affected Products

Yokogawa CENTUM VP R6, R7

Vendor:
Yokogawa

Product Version:
Yokogawa Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300): <=R1.07.00, Yokogawa Vnet/IP Interface Package for CENTUM VP R7 (VP7C3300): <=R1.07.00

Product Status:
known_affected

Remediations

Mitigation
Yokogawa recommends users apply patch software (R1.08.00).

Mitigation
Yokogawa recommends users contact a local supporting office for further information or support. https://contact.yokogawa.com/cs/gw?c-id=000498

Mitigation
For more information and details on implementing these mitigations, users should see the Yokogawa advisory YSAR-26-0002 at https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0002-E.pdf

Relevant CWE: CWE-787 Out-of-bounds Write

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	6.9	MEDIUM	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:H

CVE-2025-48019

If the affected product receives maliciously crafted packets, Vnet/IP software stack process may be terminated.

Affected Products

Yokogawa CENTUM VP R6, R7

Vendor:
Yokogawa

Product Version:
Yokogawa Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300): <=R1.07.00, Yokogawa Vnet/IP Interface Package for CENTUM VP R7 (VP7C3300): <=R1.07.00

Product Status:
known_affected

Remediations

Mitigation
Yokogawa recommends users apply patch software (R1.08.00).

Mitigation
Yokogawa recommends users contact a local supporting office for further information or support. https://contact.yokogawa.com/cs/gw?c-id=000498

Relevant CWE: CWE-617 Reachable Assertion

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	5.3	MEDIUM	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2025-48020

If the affected product receives maliciously crafted packets, Vnet/IP software stack process may be terminated.

Affected Products

Yokogawa CENTUM VP R6, R7

Vendor:
Yokogawa

Product Version:
Yokogawa Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300): <=R1.07.00, Yokogawa Vnet/IP Interface Package for CENTUM VP R7 (VP7C3300): <=R1.07.00

Product Status:
known_affected

Remediations

Mitigation
Yokogawa recommends users apply patch software (R1.08.00).

Mitigation
Yokogawa recommends users contact a local supporting office for further information or support. https://contact.yokogawa.com/cs/gw?c-id=000498

Relevant CWE: CWE-617 Reachable Assertion

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	5.3	MEDIUM	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2025-48021

If theaffected product receives maliciously crafted packets, Vnet/IP software stack process may be terminated.

Affected Products

Yokogawa CENTUM VP R6, R7

Vendor:
Yokogawa

Product Version:
Yokogawa Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300): <=R1.07.00, Yokogawa Vnet/IP Interface Package for CENTUM VP R7 (VP7C3300): <=R1.07.00

Product Status:
known_affected

Remediations

Mitigation
Yokogawa recommends users apply patch software (R1.08.00).

Mitigation
Yokogawa recommends users contact a local supporting office for further information or support. https://contact.yokogawa.com/cs/gw?c-id=000498

Relevant CWE: CWE-191 Integer Underflow (Wrap or Wraparound)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	5.3	MEDIUM	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2025-48022

If the affected product receives maliciously crafted packets, Vnet/IP software stack process may be terminated.

Affected Products

Yokogawa CENTUM VP R6, R7

Vendor:
Yokogawa

Product Version:
Yokogawa Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300): <=R1.07.00, Yokogawa Vnet/IP Interface Package for CENTUM VP R7 (VP7C3300): <=R1.07.00

Product Status:
known_affected

Remediations

Mitigation
Yokogawa recommends users apply patch software (R1.08.00).

Mitigation
Yokogawa recommends users contact a local supporting office for further information or support. https://contact.yokogawa.com/cs/gw?c-id=000498

Relevant CWE: CWE-130 Improper Handling of Length Parameter Inconsistency

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	5.3	MEDIUM	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2025-48023

If the affected product receives maliciously crafted packets, Vnet/IP software stack process may be terminated.

Affected Products

Yokogawa CENTUM VP R6, R7

Vendor:
Yokogawa

Product Version:
Yokogawa Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300): <=R1.07.00, Yokogawa Vnet/IP Interface Package for CENTUM VP R7 (VP7C3300): <=R1.07.00

Product Status:
known_affected

Remediations

Mitigation
Yokogawa recommends users apply patch software (R1.08.00).

Mitigation
Yokogawa recommends users contact a local supporting office for further information or support. https://contact.yokogawa.com/cs/gw?c-id=000498

Relevant CWE: CWE-617 Reachable Assertion

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	5.3	MEDIUM	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Acknowledgments

Dmitry Sklyar and Demid Uzenkov of Positive Technologies reported these vulnerabilities to Yokogawa

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolating them from business networks.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.

Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.

Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have a high attack complexity.

Revision History

Initial Release Date: 2026-02-26

Date	Revision	Summary
2026-02-26	1	Initial Republication of YSAR-26-0002

Legal Notice and Terms of Use

Copeland XWEB and XWEB Pro

Written by Admin @CloudCentric on February 26, 2026. Posted in CISA-Published Industrial Control System Vulnerabilities.

Summary

Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication, cause a denial-of-service condition, cause memory corruption, and execute arbitrary code.

The following versions of Copeland XWEB and XWEB Pro are affected:

XWEB 300D PRO <=1.12.1 (CVE-2026-25085, CVE-2026-21718, CVE-2026-24663, CVE-2026-21389, CVE-2026-25111, CVE-2026-20742, CVE-2026-24517, CVE-2026-25195, CVE-2026-20910, CVE-2026-24689, CVE-2026-25109, CVE-2026-20902, CVE-2026-24695, CVE-2026-25105, CVE-2026-24452, CVE-2026-23702, CVE-2026-25721, CVE-2026-20764, CVE-2026-25196, CVE-2026-25037, CVE-2026-22877, CVE-2026-20797, CVE-2026-3037)
XWEB 500D PRO <=1.12.1 (CVE-2026-25085, CVE-2026-21718, CVE-2026-24663, CVE-2026-21389, CVE-2026-25111, CVE-2026-20742, CVE-2026-24517, CVE-2026-25195, CVE-2026-20910, CVE-2026-24689, CVE-2026-25109, CVE-2026-20902, CVE-2026-24695, CVE-2026-25105, CVE-2026-24452, CVE-2026-23702, CVE-2026-25721, CVE-2026-20764, CVE-2026-25196, CVE-2026-25037, CVE-2026-22877, CVE-2026-20797, CVE-2026-3037)
XWEB 500B PRO <=1.12.1 (CVE-2026-25085, CVE-2026-21718, CVE-2026-24663, CVE-2026-21389, CVE-2026-25111, CVE-2026-20742, CVE-2026-24517, CVE-2026-25195, CVE-2026-20910, CVE-2026-24689, CVE-2026-25109, CVE-2026-20902, CVE-2026-24695, CVE-2026-25105, CVE-2026-24452, CVE-2026-23702, CVE-2026-25721, CVE-2026-20764, CVE-2026-25196, CVE-2026-25037, CVE-2026-22877, CVE-2026-20797, CVE-2026-3037)

CVSS	Vendor	Equipment	Vulnerabilities
v3 10	Copeland	Copeland XWEB and XWEB Pro	Unexpected Status Code or Return Value, Use of a Broken or Risky Cryptographic Algorithm, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Stack-based Buffer Overflow

Background

Critical Infrastructure Sectors: Commercial Facilities
Countries/Areas Deployed: Worldwide
Company Headquarters Location: United States

Vulnerabilities

CVE-2026-25085

A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, in which an unexpected return value from the authentication routine is later on processed as a legitimate value, resulting in an authentication bypass.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Copeland has provided a fix for the vulnerabilities and recommends users update the XWEB Pro to the latest version by going to their software update page https://webapps.copeland.com/Dixell/Pages/SystemSoftwareUpdate in the sections dedicated to the different XWEBPRO models page.

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-394 Unexpected Status Code or Return Value

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8.6	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVE-2026-21718

An authentication bypass vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, enabling any attackers to bypass the authentication requirement and achieve pre-authenticated code execution on the system.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	10	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2026-24663

An OS Command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an unauthenticated attacker to achieve remote code execution on the system by sending a crafted request to the libraries installation route and injecting malicious input into the request body.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	9	CRITICAL	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE-2026-21389

An OS Command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into the request body sent to the contacts import route.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-25111

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-20742

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-24517

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-25195

An OS Command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by supplying a crafted firmware update file via the firmware update route.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-20910

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-24689

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-25109

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-20902

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-24695

An OS Command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into OpenSSL argument fields within requests sent to the utility route, leading to remote code execution.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-25105

An OS Command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by injecting malicious input into parameters of the Modbus command tool in the debug route.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-24452

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-23702

An OS Command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in the API V1 route.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-25721

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-20764

An OS Command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by providing malicious input via the device hostname configuration which is later processed during system setup, resulting in remote code execution.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-25196

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-25037

An OS Command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by configuring a maliciously crafted LCD state which is later processed during system setup, enabling remote code execution.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	8	HIGH	CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE-2026-22877

An arbitrary file-read vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to read arbitrary files on the system, and potentially causing a denial-of-service attack.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	3.7	LOW	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2026-20797

A stack based buffer overflow exists in an API route of XWEB Pro version 1.12.1 and prior, enabling unauthenticated attackers to cause stack corruption and a termination of the program.

Affected Products

Copeland XWEB and XWEB Pro

Vendor:
Copeland

Product Version:
Copeland XWEB 300D PRO: <=1.12.1, Copeland XWEB 500D PRO: <=1.12.1, Copeland XWEB 500B PRO: <=1.12.1

Product Status:
known_affected

Remediations

Mitigation
Alternatively, a user logged into an XWEB Pro with internet access can update XWEB Pro directly from Copeland servers via the menu SYSTEM — Updates | Network.

Relevant CWE: CWE-121 Stack-based Buffer Overflow

Metrics

CVSS Version	Base Score	Base Severity	Vector String
3.1	4.3	MEDIUM	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVE-2026-3037

An OS Command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by modifying malicious input injected into the MBird SMS service URL and/or code via the utility route which is later processed during system setup, leading to remote code execution.