CVE-2026-2249 PUBLISHED

Unauthenticated Remote Command Execution via Web Console in METIS DFS

Assigner: MHV
Reserved: 09.02.2026 Published: 11.02.2026 Updated: 11.02.2026

METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	METIS Cyberspace Technology SA
Product	METIS DFS
Versions	Default: unaffected Version oscore 2.1.234-r18 is affected Version oscore 2.1.235-r19 is unaffected

Credits

Or Balog (Cydome Security) finder

References

https://www.metis.tech/

Problem Types

CWE-306 Missing Authentication for Critical Function CWE
CWE-287 Improper Authentication CWE