CVE-2026-2249

Published Feb 11, 2026

Last updated a month ago

CVSS critical 9.8
Port (80)

Overview

Description
METIS DFS devices (versions <= oscore 2.1.234-r18) expose a web-based shell at the /console endpoint that does not require authentication. Accessing this endpoint allows a remote attacker to execute arbitrary operating system commands with 'daemon' privileges. This results in the compromise of the software, granting unauthorized access to modify configuration, read and alter sensitive data, or disrupt services.
Source
56a186b1-7f5e-4314-ba38-38d5499fccfd
NVD status
Awaiting Analysis

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

56a186b1-7f5e-4314-ba38-38d5499fccfd
CWE-287

Social media

Hype score
Not currently trending

Related CVEs

  1. Webserver crash caused by scanning on TCP port 80 in Softing Industrial Automation GmbH gateways and switch.This issue affects smartLink HW-PN: from 1.02 through 1.03 smartLink HW-DP: 1.31CVE-2025-10150
  2. Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the code in the scheduler for downloading a tiny file is hard coded to use the HTTP protocol, rather than HTTPS. This means that an attacker could perform a Man-in-the-Middle attack, changing the network request so that a different piece of data gets downloaded. This vulnerability is fixed in 2.1.0.CVE-2025-59410
  3. TP-Link Archer C7(EU) and TL-WR841N/ND(MS) OS Command Injection VulnerabilityCVE-2025-9377
  4. A mismatch caused by client-triggered server-sent stream resets between HTTP/2 specifications and the internal architectures of some HTTP/2 implementations may result in excessive server resource consumption leading to denial-of-service (DoS). By opening streams and then rapidly triggering the server to reset them—using malformed frames or flow control errors—an attacker can exploit incorrect stream accounting. Streams reset by the server are considered closed at the protocol level, even though backend processing continues. This allows a client to cause the server to handle an unbounded number of concurrent streams on a single connection. This CVE will be updated as affected product details are released.CVE-2025-8671
  5. An unauthenticated remote attacker can cause a Denial of Service by sending a large number of requests to the http service on port 80.CVE-2025-2813

References

Sources include official advisories and independent security research.