Cyber Posture

CVE-2026-2249

Critical

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 53.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the…

more

compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
preventdetect

AC-14 identifies and authorizes only approved actions without authentication while monitoring and reviewing them, directly preventing exposure of the unauthenticated /console web shell.

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved access authorizations, requiring authentication to block remote unauthorized access to the command execution shell.

CM-7 Least Functionality good match
prevent

CM-7 least functionality restricts the system to essential capabilities, prohibiting or disabling the unnecessary exposed web shell endpoint.

Security SummaryAI

CVE-2026-2249 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in METIS DFS devices running oscore versions up to 2.1.234-r18. It stems from an exposed web-based shell at the /console endpoint that requires no authentication (CWE-287: Improper Authentication, CWE-306: Missing Authentication for Critical Function). This allows remote attackers to execute arbitrary operating system commands with daemon privileges, leading to full software compromise.

Remote attackers with network access can exploit this vulnerability without user interaction, privileges, or special conditions. Exploitation grants unauthorized control, enabling attackers to modify device configurations, read and alter sensitive data, or disrupt services entirely.

Mitigation guidance is detailed in advisories such as the Cydome vulnerability advisory at https://cydome.io/vulnerability-advisory-cve-2026-2249-unauthenticated-rce-in-metis-data-fusion-server-dfs, with additional information available on the vendor site at https://www.metis.tech/.

Details

CWE(s)
CWE-287CWE-306

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

The vulnerability exposes an unauthenticated web-based shell (/console) on a public-facing METIS DFS device, enabling remote code execution with daemon privileges. This directly maps to T1190 (Exploit Public-Facing Application), T1210 (Exploitation of Remote Services), and T1100 (Web Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References