CVE-2026-2249

Name of the Vulnerable Software and Affected Versions METIS DFS versions prior to oscore 2.1.234-r18

Description METIS DFS devices expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges, resulting in the compromise of the software and granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.

Recommendations For versions prior to oscore 2.1.234-r18, restrict access to the /console endpoint. For versions prior to oscore 2.1.234-r18, disable the web-based shell if it is not required.