Cyber Posture

CVE-2026-2248

Critical

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 53.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) privileges. This results…

more

in full system compromise, allowing unauthorized access to modify system configuration, read sensitive data, or disrupt device operations

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

Explicitly identifies and authorizes only specific actions without identification or authentication, directly preventing exposure of critical unauthenticated functions like the /console root shell.

CM-7 Least Functionality good match
prevent

Restricts the system to least functionality by prohibiting unnecessary ports, protocols, or services such as the exposed unauthenticated web shell.

SC-14 Public Access Protections good match
prevent

Mandates protections for publicly accessible interfaces like the /console endpoint to block unauthorized remote access and command execution.

Security SummaryAI

CVE-2026-2248 is a critical vulnerability in METIS WIC devices running oscore versions up to 2.1.234-r18. It stems from an exposed web-based shell at the /console endpoint that requires no authentication, allowing remote attackers to execute arbitrary operating system commands with root (UID 0) privileges. Published on 2026-02-11, the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function), resulting in full system compromise.

A remote attacker needs only network access to the affected device to exploit this vulnerability by directly accessing the /console endpoint, with no privileges, user interaction, or complex preconditions required. Successful exploitation grants complete control, enabling attackers to modify system configurations, extract sensitive data, or disrupt device operations.

Mitigation guidance is available in the Cydome vulnerability advisory at https://cydome.io/vulnerability-advisory-cve-2026-2248-unauthenticated-remote-root-shell-in-metis-wic and on the manufacturer's site at https://www.metis.tech/.

Details

CWE(s)
CWE-287CWE-306

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Unauthenticated remote access to web-based shell at /console enables exploitation of public-facing application (T1190) for initial access and direct execution of arbitrary OS commands via Unix Shell (T1059.004) with root privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References