ByteOS Network

METIS WIC

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-2248

Assigner-56a186b1-7f5e-4314-ba38-38d5499fccfd

View Details

Assigner-56a186b1-7f5e-4314-ba38-38d5499fccfd

CVSS Score-9.8||CRITICAL

EPSS-Not Assigned

Published-11 Feb, 2026 | 14:15

Updated-12 Feb, 2026 | 16:16

Unauthenticated Remote Root Shell Access via Web Console in METIS WIC

METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) privileges. This results in full system compromise, allowing unauthorized access to modify system configuration, read sensitive data, or disrupt device operations

Vendor-METIS Cyberspace Technology SA

Product-METIS WIC

CWE ID-CWE-287

Improper Authentication

CWE ID-CWE-306

Missing Authentication for Critical Function

CVE-2026-2250

Assigner-56a186b1-7f5e-4314-ba38-38d5499fccfd

View Details

Assigner-56a186b1-7f5e-4314-ba38-38d5499fccfd

CVSS Score-7.5||HIGH

EPSS-Not Assigned

Published-11 Feb, 2026 | 14:13

Updated-12 Feb, 2026 | 16:16

Unauthenticated Data Export and Source Code Disclosure via /dbviewer/ in METIS WIC

The /dbviewer/ web endpoint in METIS WIC devices is exposed without authentication. A remote attacker can access and export the internal telemetry SQLite database containing sensitive operational data. Additionally, the application is configured with debug mode enabled, causing malformed requests to return verbose Django tracebacks that disclose backend source code, local file paths, and system configuration.

Vendor-METIS Cyberspace Technology SA

Product-METIS WIC

CWE ID-CWE-215

Insertion of Sensitive Information Into Debugging Code

CWE ID-CWE-284

Improper Access Control