CVE-2026-2248

CRITICAL

METIS WIC <= oscore 2.1.234-r18 - RCE

Title source: llm

Description

METIS WIC devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with root (UID 0) privileges. This results in full system compromise, allowing unauthorized access to modify system configuration, read sensitive data, or disrupt device operations

Exploits (1)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-2248

View Code ZIP pw:eip

References (2)

[Various Sources] https://cydome.io/vulnerability-advisory-cve-2026-2248-unauthenticated-remote-root-shell-in-metis-wic

[Various Sources] https://www.metis.tech/

Scores

CVSS v3 9.8

EPSS 0.0030

EPSS Percentile 53.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287 CWE-306

Status published

Products (2)

METIS Cyberspace Technology SA/METIS WIC oscore 2.1.234-r18

METIS Cyberspace Technology SA/METIS WIC oscore 2.1.235-r19

Published Feb 11, 2026

Tracked Since Feb 18, 2026