Plataforma
linux
Componente
metis-dfs
Corrigido em
2.1.235
CVE-2026-2249 affects METIS DFS devices running oscore versions up to 2.1.234-r18. This vulnerability allows an attacker to execute arbitrary operating system commands on the device without authentication. The impact is severe, potentially leading to complete system compromise and unauthorized access to sensitive data. A patch is available in version 2.1.236.
The exposed web-based shell at the /console endpoint provides a direct pathway for remote code execution (RCE). An attacker can leverage this vulnerability to gain 'daemon' level privileges, effectively controlling the METIS DFS device. This allows for a wide range of malicious activities, including reading and modifying configuration files, exfiltrating sensitive data stored on the device, disrupting services, and potentially pivoting to other systems on the network. Given the lack of authentication, the vulnerability is easily exploitable and poses a significant risk to organizations relying on METIS DFS for data storage and management.
CVE-2026-2249 was publicly disclosed on 2026-02-11. Exploitation probability is considered high due to the ease of access and the lack of authentication. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's simplicity. It is not currently listed on CISA KEV, but its criticality warrants monitoring. Active exploitation campaigns are possible.
Organizations utilizing METIS DFS devices in environments with limited network segmentation are particularly at risk. Shared hosting environments where multiple customers share the same METIS DFS instance are also vulnerable. Legacy deployments using older, unpatched versions of METIS DFS are especially susceptible.
• linux / server:
journalctl -u metisdfs | grep /console• linux / server:
ss -tulnp | grep /console• generic web:
curl -I <METIS_DFS_IP>/console• generic web:
grep -r /console /var/log/apache2/access.logdisclosure
Status do Exploit
EPSS
0.29% (percentil 52%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-2249 is to immediately upgrade METIS DFS devices to version 2.1.236 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting network access to the /console endpoint using firewalls or access control lists. While not a complete solution, this can reduce the attack surface. Monitor network traffic for suspicious activity targeting the /console endpoint. After upgrading, confirm the vulnerability is resolved by attempting to access the /console endpoint and verifying that authentication is required.
Actualice el software METIS DFS a una versión posterior a oscore 2.1.234-r18 y oscore 2.1.235-r19. Consulte el sitio web del proveedor para obtener la última versión y las instrucciones de actualización. Deshabilite o restrinja el acceso al endpoint /console si no es necesario.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-2249 is a critical vulnerability in METIS DFS versions up to 2.1.234-r18 that allows unauthenticated remote code execution via the /console endpoint, potentially leading to full system compromise.
You are affected if you are running METIS DFS with oscore versions less than or equal to 2.1.234-r18. Check your version and upgrade immediately if vulnerable.
Upgrade your METIS DFS device to version 2.1.236 or later. As a temporary workaround, restrict network access to the /console endpoint using firewalls or access control lists.
While no active exploitation has been confirmed, the vulnerability's ease of exploitation suggests a high probability of exploitation. Monitor your systems closely.
Refer to the official METIS DFS security advisory for detailed information and updates regarding CVE-2026-2249.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.