Cyber Resilience

CVE-2026-2249

Critical

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0051 39.7th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-2249 is a critical-severity Improper Authentication (CWE-287) vulnerability in Cydome (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-2249 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in METIS DFS devices running oscore versions up to 2.1.234-r18. It stems from an exposed web-based shell at the /console endpoint that requires no authentication (CWE-287: Improper Authentication, CWE-306: Missing Authentication for Critical Function). This allows remote attackers to execute arbitrary operating system commands with daemon privileges, leading to full software compromise.

Remote attackers with network access can exploit this vulnerability without user interaction, privileges, or special conditions. Exploitation grants unauthorized control, enabling attackers to modify device configurations, read and alter sensitive data, or disrupt services entirely.

Mitigation guidance is detailed in advisories such as the Cydome vulnerability advisory at https://cydome.io/vulnerability-advisory-cve-2026-2249-unauthenticated-rce-in-metis-data-fusion-server-dfs, with additional information available on the vendor site at https://www.metis.tech/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the…

more

compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

The vulnerability exposes an unauthenticated web-based shell (/console) on a public-facing METIS DFS device, enabling remote code execution with daemon privileges. This directly maps to T1190 (Exploit Public-Facing Application), T1210 (Exploitation of Remote Services), and T1100 (Web Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-7862Shared CWE-287, CWE-306
CVE-2026-4959Shared CWE-287, CWE-306
CVE-2026-7723Shared CWE-287, CWE-306
CVE-2026-3192Shared CWE-287, CWE-306
CVE-2025-11529Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2026-3053Shared CWE-287, CWE-306
CVE-2026-4562Shared CWE-287, CWE-306
CVE-2026-40344Shared CWE-287, CWE-306
CVE-2026-6582Shared CWE-287, CWE-306

Affected Assets

Cydome
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

AC-14 identifies and authorizes only approved actions without authentication while monitoring and reviewing them, directly preventing exposure of the unauthenticated /console web shell.

prevent

AC-3 enforces approved access authorizations, requiring authentication to block remote unauthorized access to the command execution shell.

prevent

CM-7 least functionality restricts the system to essential capabilities, prohibiting or disabling the unnecessary exposed web shell endpoint.

References