Product Security Resources
Copeland supports coordinated vulnerability disclosure through a defined process for reporting potential cybersecurity vulnerabilities, strengthening product security and reducing potential risk to customers.
Report a Potential Product Vulnerability
In order to put you in direct contact with the appropriate Copeland Product Security Incident Response Team, this short form will gather essential information about the issue you would like to report.
Product Vulnerability Disclosure Policy
Product Vulnerability Management
Copeland is committed to protecting the security, reliability, and resilience of our products, and digital platforms. We maintain processes to receive, assess, prioritize, and address potential cybersecurity vulnerabilities, considering applicable regulatory requirements, product risk, and relevant industry guidance.
We welcome responsible reports of potential cybersecurity vulnerabilities from customers, researchers, partners, suppliers, and vulnerability coordination organizations. If you believe you have identified a security issue involving a Copeland product or digital service, please report it through Copeland’s Report a Potential Product Vulnerability webpage.
Scope
This policy applies to potential cybersecurity vulnerabilities affecting Copeland products, software, firmware, cloud-connected services, mobile applications, APIs, web portals, and related digital components.
Out of Scope
This policy is intended for cybersecurity vulnerability reporting only. For customer support, warranty requests, privacy inquiries, or general product quality issues, and other non-security matters are outside the scope of this policy and should be directed to the appropriate Copeland support channel.
What to Include in Your Report
Please include enough detail for Copeland to review and validate the concern, such as:
- Affected product, service, application, or component
- Product model, firmware version, software version, build number, or serial number, if available
- Brand or product family
- General description of the issue
- Your contact information, unless you prefer to report anonymously
Do not submit passwords, cryptographic keys, personal data, customer data, or other sensitive information through an unsecured channel.
Responsible Reporting Guidelines
When submitting a vulnerability report, we ask that you:
- Allow Copeland time to investigate and address the issue before publicly sharing technical details.
- Avoid testing that could disrupt products, services, customer environments, or normal operations.
- Avoid accessing, changing, downloading, or sharing data that is not yours.
- Limit testing to what is necessary to demonstrate the potential vulnerability.
- Understand that Copeland does not provide compensation for vulnerability submissions.
What to Expect
Copeland will make reasonable efforts to:
- Acknowledge receipt of a vulnerability report in a timely manner.
- Review and triage the report to determine whether it is valid and in scope.
- Request additional information when needed to assess the issue.
- Prioritize remediation based on severity, exploitability, exposure, safety impact, customer impact, product lifecycle status, and available mitigations.
- Coordinate disclosure timing when appropriate.
Copeland does not guarantee that every report will result in a product change, security advisory, CVE, public recognition, or direct response beyond acknowledgment and triage.
Coordinated Disclosure
Copeland supports coordinated vulnerability disclosure. We require submitters to keep vulnerability details confidential and avoid public disclosure until Copeland has had a reasonable opportunity to investigate, assess, and address the reported vulnerability.
Where appropriate, Copeland may publish a security advisory that includes affected products, affected versions, severity, CVE identifiers, mitigation steps, remediation steps, update instructions, and customer guidance.
Safe Harbor
Copeland supports good-faith security research conducted in accordance with this policy and applicable law. Copeland does not intend to pursue legal action against individuals who act in good faith, avoid causing harm, and provide Copeland a reasonable opportunity to investigate and address the reported vulnerability. Activities that intentionally harm Copeland systems, products, customers, users, or third parties are not permitted.
Anonymous Reporting
Copeland accepts anonymous vulnerability reports. However, anonymous reporting may limit our ability to request clarification, validate the issue, coordinate remediation, or provide updates.
Policy Updates
Copeland may update this policy from time to time to reflect changes in our products, services, reporting process, or applicable requirements.
Product Security Advisories
| CVE # | Vulnerability | Published Severity / CVSS | Description | Products & Affected Versions | Last Updated |
|---|---|---|---|---|---|
Authentication bypass | High / 8.6 | Unexpected authentication return value may be processed as legitimate, resulting in authentication bypass. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
Authentication bypass / pre-auth code execution | Critical / 10.0 | Authentication bypass may allow pre-authenticated code execution. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | Critical / 9.0 | Unauthenticated remote code execution via crafted request to the libraries installation route. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious input sent to the contacts import route. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious input sent to the restore route. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious input sent to the templates route. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious input sent to the firmware update route. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via crafted firmware update file. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious input in the firmware update action. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious input in the devices field when accessing the setup route. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious input in the map filename field during map upload. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious input in OpenSSL argument fields sent to the utility route. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious input to the Modbus command tool in the debug route. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via crafted template file or related device route input. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious input in the server username field of the import preconfiguration action. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious input in server username and/or password fields of the restore action. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious device hostname configuration processed during setup. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious Wi-Fi SSID and/or password fields. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious LCD state configuration processed during setup. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
OS command injection | High / 8.0 | Authenticated remote code execution via malicious MBird SMS service URL and/or code processed through the utility route. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
Stack-based buffer overflow | Medium / 4.3 | Unauthenticated attacker may cause stack corruption and program termination. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
Arbitrary file read | Low / 3.7 | Unauthenticated attacker may read arbitrary files and potentially cause denial of service. | XWEB 300D PRO, XWEB 500D PRO, XWEB 500B PRO <= 1.12.1 | Feb. 26, 2026 | |
Predictable default admin password | Critical / 9.3 | Default ONEDAY admin user has a daily generated password that may be predictable. | E3 Site Supervisor Control firmware < 2.31F01 | Sept. 2025 | |
Authentication using password hash | Medium / 5.3 | Application services may allow authentication using only the password hash. | E3 Site Supervisor Control firmware < 2.31F01 | Sept. 2025 | |
Arbitrary file read | High / 8.8 | Floor plan upload feature may allow unauthenticated arbitrary file read from the E3 file system. | E3 Site Supervisor Control firmware < 2.31F01 | Sept. 2025 | |
Privilege escalation | High / 7.7 | RCI service API may return usernames and password hashes for application services. | E3 Site Supervisor Control firmware < 2.31F01 | Sept. 2025 | |
Stored XSS | Medium / 5.1 | Crafted floor plan file may inject stored XSS into the floor plan web page. | E3 Site Supervisor Control firmware < 2.31F01 | Sept. 2025 | |
Denial of service | High / 8.7 | MGW API input validation issue may allow repeated crashes of application services. | E3 Site Supervisor Control firmware < 2.31F01 | Sept. 2025 | |
Hidden remote access enablement | Medium / 6.9 | Hidden API call may enable SSH and Shellinabox for remote OS access. | E3 Site Supervisor Control firmware < 2.31F01 | Sept. 2025 | |
Predictable root Linux password | Critical / 9.2 | Root Linux password may be generated using predictable or easily obtained parameters. | E3 Site Supervisor Control firmware < 2.31F01 | Sept. 2025 | |
Unsigned firmware upgrade packages | High / 8.6 | Admin-level attacker may forge and install malicious firmware upgrade packages. | E3 Site Supervisor Control firmware < 2.31F01 | Sept. 2025 | |
Unauthenticated file operations | Critical / 9.3 | Proprietary E2 protocol may allow unauthenticated file operations on system files. | E2 Facility Management Systems | Sept. 2025 |
Government Information Request
This form is intended for government officials or authorized representatives requesting information about Copeland products, solutions, or business operations.
This short form helps Copeland route your request to the appropriate internal team for review and response.
Note: Do not use this form to submit confidential, classified, export-controlled, or legally privileged information. This form is not intended for service of legal process, subpoenas, or formal legal notices, which should be submitted in accordance with applicable legal requirements.
