Scan free
CRITICALCVE-2026-2248CVSS 9.8

CVE-2026-2248: Unauth Web Shell in METIS WIC

Platform

other

Component

metis-wic

Fixed in

2.1.235

AI Confidence: highNVDEPSS 0.3%Reviewed: May 2026
View on NVD
Save

CVE-2026-2248 describes a critical vulnerability in METIS WIC devices running oscore versions up to 2.1.234-r18. This vulnerability allows an attacker to execute arbitrary operating system commands with root privileges through an unauthenticated web shell accessible at the /console endpoint. Successful exploitation results in complete system compromise. A patch is available in oscore version 2.1.236.

Impact and Attack Scenarios

The impact of CVE-2026-2248 is severe. An attacker gaining access to the /console endpoint can execute any command on the device with root privileges. This allows for complete control over the device, including the ability to modify system configurations, steal sensitive data (passwords, keys, configuration files), install malware, and disrupt device operations. The lack of authentication makes this vulnerability particularly dangerous, as any attacker with network access to the device can potentially exploit it. This is akin to having an open backdoor into the device's operating system.

Exploitation Context

CVE-2026-2248 was publicly disclosed on 2026-02-11. The vulnerability is considered highly exploitable due to the lack of authentication and the ability to execute arbitrary commands with root privileges. No public proof-of-concept (POC) code has been released as of this writing, but the ease of exploitation suggests that it is likely to be developed and shared. It has not yet been added to the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.29% (52% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentmetis-wic
VendorMETIS Cyberspace Technology SA
Affected rangeFixed in
oscore 2.1.234-r18 – oscore 2.1.234-r182.1.235

Weakness Classification (CWE)

CWE-306CWE-287

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2026-2248 is to upgrade METIS WIC devices to oscore version 2.1.236 or later. If an immediate upgrade is not possible, consider implementing network segmentation to restrict access to the /console endpoint. Firewall rules should be configured to only allow access from trusted IP addresses. Monitoring network traffic for unusual activity targeting the /console endpoint is also recommended. While a WAF might be able to detect and block malicious requests, it is not a substitute for patching the underlying vulnerability. After upgrading, verify the vulnerability is resolved by attempting to access the /console endpoint and confirming that authentication is required.

How to fix

Actualice el firmware de su dispositivo METIS WIC a una versión posterior a oscore 2.1.235-r19. Consulte el sitio web del proveedor para obtener las últimas actualizaciones de firmware y las instrucciones de instalación. Deshabilite el acceso a la consola web si no es necesaria.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-2248 — Unauth Web Shell in METIS WIC?

CVE-2026-2248 is a critical vulnerability in METIS WIC devices where an unauthenticated attacker can execute OS commands with root privileges via the /console endpoint, leading to full system compromise.

Am I affected by CVE-2026-2248 in METIS WIC?

You are affected if you are using METIS WIC devices with oscore versions less than or equal to 2.1.234-r18.

How do I fix CVE-2026-2248 in METIS WIC?

Upgrade your METIS WIC devices to oscore version 2.1.236 or later. Implement network segmentation and monitor traffic to the /console endpoint as a temporary workaround.

Is CVE-2026-2248 being actively exploited?

While no public exploits are currently known, the ease of exploitation suggests it is likely to be targeted. Continuous monitoring is advised.

Where can I find the official METIS WIC advisory for CVE-2026-2248?

Refer to the METIS WIC security advisories on their official website for the latest information and updates regarding CVE-2026-2248.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs