CVE-2026-2250
Published: 11 February 2026
Summary
CVE-2026-2250 is a high-severity Insertion of Sensitive Information Into Debugging Code (CWE-215) vulnerability in Cydome (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Supervision and review of access control activities directly detects and remediates improper access configurations or usages.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
By automatically labeling outputs with security attributes, the control supports attribute-based enforcement and reduces exploitability of improper access control weaknesses.
Associating and retaining security attributes with data directly supports enforcement of access control decisions across storage, processing, and transmission.
Requiring prior authorization for each remote access type prevents improper access control over remote connections.
Requiring authorization of wireless access before allowing connections enforces proper access control for this access method.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauth public web endpoint enables T1190 exploitation; direct DB export and debug tracebacks enable T1005 data access plus T1082/T1083 system/file discovery.
NVD Description
The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests…
more
to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration.
Deeper analysisAI
CVE-2026-2250 is an information disclosure vulnerability affecting METIS WIC (Wireless Intelligent Collector) devices. The /dbviewer/ web endpoint is exposed without authentication, enabling remote access and export of the internal telemetry SQLite database, which contains sensitive operational data. Additionally, the application operates with debug mode enabled, causing malformed requests to return verbose Django tracebacks that reveal backend source code, local file paths, and system configuration details. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-215 (Improper Handling of Sensitive Information) and CWE-284 (Improper Access Control).
A remote attacker requires only network access to the affected device, with no privileges, authentication, or user interaction needed due to the low attack complexity. Successful exploitation allows high-impact confidentiality breaches, including exfiltration of sensitive operational telemetry data from the SQLite database and extraction of additional intelligence such as application source code, filesystem paths, and system configuration via triggered debug tracebacks.
Mitigation guidance is available in the Cydome vulnerability advisory at https://cydome.io/vulnerability-advisory-cve-2026-2250-unauthenticated-data-exfilteration-and-information-disclosure-in-metis-wic-wireless-intelligent-collector, along with the vendor's site at https://www.metis.tech/.
Details
- CWE(s)