CVE-2026-2249

CRITICAL
2026-02-11 56a186b1-7f5e-4314-ba38-38d5499fccfd
9.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:02 vuln.today
CVE Published
Feb 11, 2026 - 15:16 nvd
CRITICAL 9.8

Tags

Authentication Bypass Information Disclosure RCE

Description

METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.

Analysis

Unauthenticated web shell in METIS DFS devices (versions <= oscore 2.1.234-r18). Same vulnerability as CVE-2026-2248 but on DFS product line.

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all METIS DFS devices and identify those running oscore versions <= 2.1.234-r18; immediately restrict network access to the /console endpoint via firewall rules. Within 7 days: Implement WAF rules to block /console endpoint access and deploy network segmentation to isolate METIS DFS devices from untrusted networks; conduct forensic analysis for signs of unauthorized access. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

49
Low Medium High Critical
KEV: 0
EPSS: +0.3
CVSS: +49
POC: 0

Share

CVE-2026-2249 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy