Software Authentication Bypass (CVE-2026-21718) - Patch Now

Overview

A critical security flaw has been identified in Copeland XWEB Pro building automation software. This vulnerability allows an attacker to completely bypass the system’s login screen, gaining unauthorized access without needing a password. Once inside, the attacker can execute code on the system with full administrative privileges.

Vulnerability Details

This is an authentication bypass vulnerability in Copeland XWEB Pro versions 1.12.1 and all earlier releases. The flaw resides in how the software handles user authentication checks. By crafting a specific network request, an attacker can trick the application into believing they are already a logged-in, authorized user. This grants them immediate access to the system’s control functions and underlying server.

Impact and Risk Assessment

Rated with the maximum CVSS score of 10.0 (CRITICAL), this vulnerability poses a severe risk.

Primary Impacts:

• Unauthorized System Control: Attackers can manipulate building systems (e.g., HVAC, refrigeration) controlled by the software, potentially causing operational disruption, safety issues, or damage.
• Full System Compromise: The ability to execute code allows attackers to install malware, steal sensitive data, or use the system as a foothold to attack other networked devices.
• Lack of Detection: Because the attacker bypasses login, there may be no failed login attempts in logs to alert administrators of the intrusion.

Any internet-facing or network-accessible instance of the affected software is directly exploitable.

Remediation and Mitigation

Immediate action is required to protect affected systems.

1. Immediate Isolation: If possible, disconnect affected Copeland XWEB Pro systems from the internet and restrict network access to only absolutely necessary internal hosts using firewall rules.
2. Apply the Official Update: Contact Copeland (Emerson) for the official security patch that addresses this vulnerability. Apply this update to all instances of XWEB Pro version 1.12.1 and prior as a matter of highest priority. There is no safe workaround; patching is the only complete solution.
3. Network Segmentation: Ensure building management systems (BMS) like XWEB Pro are placed on isolated, dedicated network segments, separate from corporate IT networks, to limit potential lateral movement.
4. Monitor for Compromise: Review system and network logs for any unusual or unauthorized access patterns or unexpected outbound connections from the host system.

Important Note: Do not rely on changing passwords or adding users as a mitigation. The vulnerability bypasses the authentication mechanism entirely, making these measures ineffective. Patching is the only definitive remediation.