Cyber Resilience

CVE-2026-2248

Critical

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 39.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2248 is a critical-severity Improper Authentication (CWE-287) vulnerability in Cydome (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-2248 is a critical vulnerability in METIS WIC devices running oscore versions up to 2.1.234-r18. It stems from an exposed web-based shell at the /console endpoint that requires no authentication, allowing remote attackers to execute arbitrary operating system commands with root (UID 0) privileges. Published on 2026-02-11, the issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function), resulting in full system compromise.

A remote attacker needs only network access to the affected device to exploit this vulnerability by directly accessing the /console endpoint, with no privileges, user interaction, or complex preconditions required. Successful exploitation grants complete control, enabling attackers to modify system configurations, extract sensitive data, or disrupt device operations.

Mitigation guidance is available in the Cydome vulnerability advisory at https://cydome.io/vulnerability-advisory-cve-2026-2248-unauthenticated-remote-root-shell-in-metis-wic and on the manufacturer's site at https://www.metis.tech/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) privileges. This results…

more

in full system compromise, allowing unauthorized access to modify system configuration, read sensitive data, or disrupt device operations

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote access to web-based shell at /console enables exploitation of public-facing application (T1190) for initial access and direct execution of arbitrary OS commands via Unix Shell (T1059.004) with root privileges.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4959Shared CWE-287, CWE-306
CVE-2026-7723Shared CWE-287, CWE-306
CVE-2023-54344Shared CWE-306
CVE-2026-3192Shared CWE-287, CWE-306
CVE-2025-11529Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2026-3053Shared CWE-287, CWE-306
CVE-2026-4562Shared CWE-287, CWE-306
CVE-2023-54342Shared CWE-306
CVE-2025-52089Shared CWE-306

Affected Assets

Cydome
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Explicitly identifies and authorizes only specific actions without identification or authentication, directly preventing exposure of critical unauthenticated functions like the /console root shell.

prevent

Restricts the system to least functionality by prohibiting unnecessary ports, protocols, or services such as the exposed unauthenticated web shell.

prevent

Mandates protections for publicly accessible interfaces like the /console endpoint to block unauthorized remote access and command execution.

References