The /dbviewer/ web endpoint in METIS WIC devices is accessible without authentication, enabling a remote attacker to retrieve the internal telemetry SQLite database that contains sensitive operational data. Furthermore, the application is running with debug mode enabled, so malformed requests trigger verbose Django tracebacks that expose backend source code, local file paths, and system configuration. These details map to CWE-215 (Information Exposure Through Log Chain) and CWE-284 (Improper Access Control).

The vulnerability affects METIS Cyberspace Technology SA’s METIS WIC product. Vendor and product information is available, but specific affected firmware or build versions are not disclosed in the data. All deployments that expose the /dbviewer/ endpoint without proper authentication or that enable debug mode are potentially impacted.

The CVSS score of 7.5 indicates a high severity, while the EPSS score of less than 1% suggests a low but non‑zero likelihood of exploitation at the time of analysis. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is remote over the network, requiring no authentication or credentials. An attacker can simply hit the exposed endpoint from any network location and download the telemetry database or trigger tracebacks. The lack of authentication and debug mode make this straightforward for attackers with network access.