CVE-2026-2249 | METIS DFS devices (versions <= oscore 2.1.234-r18) expose a … | CVSS 9.8 CRITICAL

Description

METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.

Metadata

CVE ID: CVE-2026-2249
State: PUBLISHED
Assigner: MHV
Reserved: 2026-02-09 13:38 UTC
Published: 2026-02-11 14:16 UTC
Last updated: 2026-02-12 15:20 UTC
Primary CWE: CWE-306
CWE-306 Missing Authentication for Critical Function
Vendor / Product: METIS Cyberspace Technology SA / METIS DFS
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
METIS Cyberspace Technology SA	METIS DFS	—	oscore 2.1.234-r18, oscore 2.1.235-r19

Weakness (CWE)

CWE	Source	Description
CWE-287	cna	CWE-287 Improper Authentication
CWE-306	cna	CWE-306 Missing Authentication for Critical Function

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (2)