CVE-2026-2248

METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) privileges. This results in full system compromise, allowing unauthorized access to modify system configuration, read sensitive data, or disrupt device operations

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://cydome.io/vulnerability-advisory-cve-2026-2248-unauthenticated-remote-root-shell-in-metis-wic
https://www.metis.tech/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Los dispositivos METIS WIC (versiones <= oscore 2.1.234-r18) exponen un shell basado en web en el endpoint /console que no requiere autenticación. Acceder a este endpoint permite a un atacante remoto ejecutar comandos arbitrarios del sistema operativo con privilegios de root (UID 0). Esto resulta en un compromiso total del sistema, permitiendo el acceso no autorizado para modificar la configuración del sistema, leer datos sensibles o interrumpir las operaciones del dispositivo.

12 Feb 2026, 16:16

Type	Values Removed	Values Added
References		() https://cydome.io/vulnerability-advisory-cve-2026-2248-unauthenticated-remote-root-shell-in-metis-wic -

11 Feb 2026, 15:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-11 15:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-2248

Mitre link : CVE-2026-2248

CVE.ORG link : CVE-2026-2248

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

CWE-306

Missing Authentication for Critical Function

9.8 /10