CVE-2026-2249

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions METIS DFS versions prior to oscore 2.1.234-r18

Description METIS DFS devices expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges, resulting in the compromise of the software and granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.

Recommendations For versions prior to oscore 2.1.234-r18, restrict access to the /console endpoint. For versions prior to oscore 2.1.234-r18, disable the web-based shell if it is not required.

Fix

Missing Authentication

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-287

Related Identifiers

CVE-2026-2249

Affected Products

Metis Dfs

CVE-2026-2249

Weakness Enumeration

Related Identifiers

Affected Products

References · 6