DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-2249: The Open Door Policy: Unauthenticated RCE in METIS DFS

#security #cve #cybersecurity

The Open Door Policy: Unauthenticated RCE in METIS DFS

Vulnerability ID: CVE-2026-2249
CVSS Score: 9.8
Published: 2026-02-11

In the high-stakes world of maritime and industrial data analytics, the METIS Data Fusion System (DFS) serves as a critical nervous system. However, a startling oversight in version control turned these devices into wide-open doors for attackers. CVE-2026-2249 represents the worst-case scenario for edge devices: a hardcoded, unauthenticated web console exposing a direct shell to the operating system. With a CVSS score of 9.8, this isn't just a vulnerability; it's a welcome mat for remote command execution, allowing anyone with network access to execute commands as the 'daemon' user without a password, a key, or even a polite knock.

TL;DR

Critical Unauthenticated RCE (CVSS 9.8) in METIS DFS devices <= 2.1.234-r18. The application exposes a /console endpoint that accepts system commands without authentication. Patch immediately to version 2.1.235-r19 or block access to the web interface.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-306 (Missing Authentication)
  • Attack Vector: Network (AV:N)
  • CVSS Score: 9.8 (Critical)
  • Privileges Required: None (PR:N)
  • Impact: Full System Compromise (RCE)
  • Current Status: Patched / PoC Available

Affected Systems

  • METIS DFS (Data Fusion System)
  • METIS DFS: <= oscore 2.1.234-r18 (Fixed in: oscore 2.1.235-r19)

Exploit Details

  • GitHub (Fake/Malware Warning): Repository claiming to have an exploit but linking to suspicious external files. Avoid downloading.
  • Manual: Trivial exploitation via POST request to /console with command payload.

Mitigation Strategies

  • Vendor Patching
  • Network Segmentation
  • Web Application Firewall (WAF)

Remediation Steps:

  1. Identify all METIS DFS devices running oscore versions <= 2.1.234-r18.
  2. Download the 'oscore 2.1.235-r19' firmware update from the METIS support portal.
  3. Apply the update during a maintenance window.
  4. Verify the fix by attempting to navigate to the /console endpoint; it should no longer be accessible without authentication.

References

Read the full report for CVE-2026-2249 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)