CVE-2026-2248
Awaiting Analysis Awaiting Analysis - Queue
Unauthenticated Remote Code Execution in METIS WIC Devices

Publication date: 2026-02-11

Last updated on: 2026-02-12

Assigner: MHV

Description
METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) privileges. This results in full system compromise, allowing unauthorized access to modify system configuration, read sensitive data, or disrupt device operations
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-11
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-02-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2248
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
metis wic to 2.1.234-r18 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability affects METIS WIC devices running oscore versions up to 2.1.234-r18. These devices expose a web-based shell at the /console endpoint that does not require any authentication.

Because there is no authentication, a remote attacker can access this endpoint and execute arbitrary operating system commands with root (UID 0) privileges.

This means the attacker can fully compromise the system, gaining unauthorized access to modify system configurations, read sensitive data, or disrupt device operations.

Impact Analysis

This vulnerability can have severe impacts including full system compromise due to root-level command execution by an attacker.

  • Unauthorized modification of system configuration.
  • Unauthorized access to and reading of sensitive data.
  • Disruption of device operations, potentially causing denial of service or other operational failures.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2248. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart