CVE 9.8 CRITICAL

Unauthenticated Remote Command Execution via Web Console in METIS DFS_CVE-2026-2249

February 11, 2026 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.

AI Analysis

Unauthenticated remote command execution vulnerability in METIS DFS via web console

Basic Information

ID CVE-2026-2249

Source MHV

Published Feb 11, 2026 at 14:16

Affected Product

Vendor METIS Cyberspace Technology SA

Product METIS DFS

Version oscore 2.1.234-r18

Affected Versions METIS Cyberspace Technology SA METIS DFS oscore 2.1.234-r18

CWE Classification

CWE-306 CWE-287

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor METIS Cyberspace Technology SA

Product METIS DFS

Version oscore 2.1.234-r18

References

www.metis.tech /

{
    "lastseen": "",
    "description": "METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.",
    "published": "2026-02-11T14:16:19.157Z",
    "modified": "2026-02-11T14:16:19.157Z",
    "type": "cve",
    "title": "Unauthenticated Remote Command Execution via Web Console in METIS DFS",
    "source": "MHV",
    "references": "https://www.metis.tech/",
    "id": "CVE-2026-2249",
    "bulletinFamily": "",
    "cwe": [
        "CWE-306",
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "METIS Cyberspace Technology SA METIS DFS oscore 2.1.234-r18",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "METIS DFS",
    "version": "oscore 2.1.234-r18",
    "vendor": "METIS Cyberspace Technology SA",
    "ai_description": "Unauthenticated remote command execution vulnerability in METIS DFS via web console",
    "ai_severity": "Critical",
    "ai_vendor": "METIS Cyberspace Technology SA",
    "ai_product": "METIS DFS",
    "ai_version": "oscore 2.1.234-r18",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply