Cyber Posture

CVE-2026-2249

Critical
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0030 53.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2249 is a critical-severity Improper Authentication (CWE-287) vulnerability in Cydome (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
preventdetect

AC-14 identifies and authorizes only approved actions without authentication while monitoring and reviewing them, directly preventing exposure of the unauthenticated /console web shell.

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved access authorizations, requiring authentication to block remote unauthorized access to the command execution shell.

CM-7 Least Functionality good match
prevent

CM-7 least functionality restricts the system to essential capabilities, prohibiting or disabling the unnecessary exposed web shell endpoint.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

The vulnerability exposes an unauthenticated web-based shell (/console) on a public-facing METIS DFS device, enabling remote code execution with daemon privileges. This directly maps to T1190 (Exploit Public-Facing Application), T1210 (Exploitation of Remote Services), and T1100 (Web Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the…

more

compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.

Deeper analysisAI

CVE-2026-2249 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in METIS DFS devices running oscore versions up to 2.1.234-r18. It stems from an exposed web-based shell at the /console endpoint that requires no authentication (CWE-287: Improper Authentication, CWE-306: Missing Authentication for Critical Function). This allows remote attackers to execute arbitrary operating system commands with daemon privileges, leading to full software compromise.

Remote attackers with network access can exploit this vulnerability without user interaction, privileges, or special conditions. Exploitation grants unauthorized control, enabling attackers to modify device configurations, read and alter sensitive data, or disrupt services entirely.

Mitigation guidance is detailed in advisories such as the Cydome vulnerability advisory at https://cydome.io/vulnerability-advisory-cve-2026-2249-unauthenticated-rce-in-metis-data-fusion-server-dfs, with additional information available on the vendor site at https://www.metis.tech/.

Details

CWE(s)
CWE-287CWE-306

Affected Products

Cydome
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-7862Shared CWE-287, CWE-306
CVE-2026-6126Shared CWE-287, CWE-306
CVE-2026-7042Shared CWE-287, CWE-306
CVE-2026-4959Shared CWE-287, CWE-306
CVE-2026-3192Shared CWE-287, CWE-306
CVE-2026-3053Shared CWE-287, CWE-306
CVE-2026-4562Shared CWE-287, CWE-306
CVE-2026-6582Shared CWE-287, CWE-306
CVE-2025-58443Shared CWE-287, CWE-306
CVE-2026-5676Shared CWE-287, CWE-306

References