CVE-2026-2250
Published: 11 February 2026
Summary
CVE-2026-2250 is a high-severity Insertion of Sensitive Information Into Debugging Code (CWE-215) vulnerability in Cydome (inferred from references). Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-7 (Least Functionality).
Deeper analysis
CVE-2026-2250 is an information disclosure vulnerability affecting METIS WIC (Wireless Intelligent Collector) devices. The /dbviewer/ web endpoint is exposed without authentication, enabling remote access and export of the internal telemetry SQLite database, which contains sensitive operational data. Additionally, the application operates with debug mode enabled, causing malformed requests to return verbose Django tracebacks that reveal backend source code, local file paths, and system configuration details. The issue carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-215 (Improper Handling of Sensitive Information) and CWE-284 (Improper Access Control).
A remote attacker requires only network access to the affected device, with no privileges, authentication, or user interaction needed due to the low attack complexity. Successful exploitation allows high-impact confidentiality breaches, including exfiltration of sensitive operational telemetry data from the SQLite database and extraction of additional intelligence such as application source code, filesystem paths, and system configuration via triggered debug tracebacks.
Mitigation guidance is available in the Cydome vulnerability advisory at https://cydome.io/vulnerability-advisory-cve-2026-2250-unauthenticated-data-exfilteration-and-information-disclosure-in-metis-wic-wireless-intelligent-collector, along with the vendor's site at https://www.metis.tech/.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7030
Vulnerability details
The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests…
more
to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauth public web endpoint enables T1190 exploitation; direct DB export and debug tracebacks enable T1005 data access plus T1082/T1083 system/file discovery.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly identifies and restricts permitted actions without authentication, preventing unauthorized remote access to the exposed /dbviewer/ endpoint and sensitive database export.
Mandates controlled error handling to suppress verbose Django tracebacks, avoiding disclosure of source code, file paths, and system configuration.
Enforces least functionality by prohibiting unnecessary features like the unauthenticated /dbviewer/ endpoint and debug mode on production devices.