CVE-2026-2248 PUBLISHED

Unauthenticated Remote Root Shell Access via Web Console in METIS WIC

Assigner: MHV
Reserved: 09.02.2026 Published: 11.02.2026 Updated: 11.02.2026

METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) privileges. This results in full system compromise, allowing unauthorized access to modify system configuration, read sensitive data, or disrupt device operations

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	METIS Cyberspace Technology SA
Product	METIS WIC
Versions	Default: unaffected Version oscore 2.1.234-r18 is affected Version oscore 2.1.235-r19 is unaffected

Credits

Or Balog (Cydome Security) finder

References

https://www.metis.tech/

Problem Types

CWE-306 Missing Authentication for Critical Function CWE
CWE-287 Improper Authentication CWE