Cyber Resilience

CVE-2026-2250

High

Published: 11 February 2026

Published
11 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0012 30.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-2250 is a high-severity Insertion of Sensitive Information Into Debugging Code (CWE-215) vulnerability in Cydome (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).

Deeper analysis

CVE-2026-2250 is an information disclosure vulnerability affecting METIS WIC (Wireless Intelligent Collector) devices. The /dbviewer/ web endpoint is exposed without authentication, enabling remote access and export of the internal telemetry SQLite database, which contains sensitive operational data. Additionally, the application operates with debug mode enabled, causing malformed requests to return verbose Django tracebacks that reveal backend source code, local file paths, and system configuration details. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-215 (Improper Handling of Sensitive Information) and CWE-284 (Improper Access Control).

A remote attacker requires only network access to the affected device, with no privileges, authentication, or user interaction needed due to the low attack complexity. Successful exploitation allows high-impact confidentiality breaches, including exfiltration of sensitive operational telemetry data from the SQLite database and extraction of additional intelligence such as application source code, filesystem paths, and system configuration via triggered debug tracebacks.

Mitigation guidance is available in the Cydome vulnerability advisory at https://cydome.io/vulnerability-advisory-cve-2026-2250-unauthenticated-data-exfilteration-and-information-disclosure-in-metis-wic-wireless-intelligent-collector, along with the vendor's site at https://www.metis.tech/.

EU & UK References

Vulnerability details

The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests…

more

to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
T1083 File and Directory Discovery Discovery
Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.
Why these techniques?

Unauth public web endpoint enables T1190 exploitation; direct DB export and debug tracebacks enable T1005 data access plus T1082/T1083 system/file discovery.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-30208Shared CWE-284
CVE-2024-13240Shared CWE-284
CVE-2024-55019Shared CWE-284
CVE-2025-69907Shared CWE-284
CVE-2026-35231Shared CWE-284
CVE-2026-25231Shared CWE-284
CVE-2026-39364Shared CWE-284
CVE-2026-1194Shared CWE-284
CVE-2025-30141Shared CWE-284
CVE-2026-5571Shared CWE-284

Affected Assets

Cydome
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly identifies and restricts permitted actions without authentication, preventing unauthorized remote access to the exposed /dbviewer/ endpoint and sensitive database export.

prevent

Mandates controlled error handling to suppress verbose Django tracebacks, avoiding disclosure of source code, file paths, and system configuration.

prevent

Enforces least functionality by prohibiting unnecessary features like the unauthenticated /dbviewer/ endpoint and debug mode on production devices.

References