Critical severity9.8NVD Advisory· Published Feb 11, 2026· Updated Apr 15, 2026

CVE-2026-2249

Description

METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

cydome.io/vulnerability-advisory-cve-2026-2249-unauthenticated-rce-in-metis-data-fusion-server-dfsnvd
www.metis.technvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000