Description
METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.
Published: 2026-02-11
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

A web-based shell is exposed at the /console endpoint of METIS DFS devices. The endpoint is accessible without authentication, allowing a remote attacker to execute arbitrary operating system commands with daemon privileges. This flaw aligns with authentication and authorization weaknesses (CWE‑287, CWE‑306) and can lead to full compromise of the device, unauthorized configuration changes, data theft, and service disruption.

Affected Systems

The vulnerability affects METIS Cyberspace Technology SA’s METIS DFS products, specifically versions having OS core 2.1.234‑r18 or earlier. Devices running these legacy firmware releases are susceptible.

Risk and Exploitability

The flaw carries a CVSS score of 9.8, indicating critical severity. The current EPSS score of less than 1 % reflects a low but non‑zero likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a connection to the web interface; attackers can send crafted requests to /console, manipulate command execution, and gain undue control over the system. Given the lack of authentication, the attack vector is highly feasible for any adversary with network access to the device.

Generated by OpenCVE AI on April 18, 2026 at 12:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade METIS DFS to a version newer than OS core 2.1.234‑r18 to eliminate the unauthenticated web console
  • Configure network controls (firewall or ACL) to limit access to the /console endpoint to trusted IP addresses only
  • Disable or remove the web console feature entirely if it is not required for normal operation

Generated by OpenCVE AI on April 18, 2026 at 12:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Feb 2026 15:30:00 +0000

Type Values Removed Values Added
References

Wed, 11 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Metis Cyberspace Technology Sa
Metis Cyberspace Technology Sa metis Dfs
Vendors & Products Metis Cyberspace Technology Sa
Metis Cyberspace Technology Sa metis Dfs

Wed, 11 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Feb 2026 14:30:00 +0000

Type Values Removed Values Added
Description METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.
Title Unauthenticated Remote Command Execution via Web Console in METIS DFS
Weaknesses CWE-287
CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Metis Cyberspace Technology Sa Metis Dfs
cve-icon MITRE

Status: PUBLISHED

Assigner: MHV

Published:

Updated: 2026-02-12T15:20:28.314Z

Reserved: 2026-02-09T13:38:43.331Z

Link: CVE-2026-2249

cve-icon Vulnrichment

Updated: 2026-02-11T14:47:24.501Z

cve-icon NVD

Status : Deferred

Published: 2026-02-11T15:16:17.600

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-2249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:45:45Z

Weaknesses