METIS DFS Devices Web-Based Shell Vulnerability Allowing Arbitrary Command Execution

Vulnerability

A vulnerability exists in METIS DFS devices running operating system version 2.1.234-r18 or earlier. These devices expose a web-based shell at the '/console' endpoint, which does not require authentication. This vulnerability allows remote attackers to execute arbitrary operating system commands with 'daemon' privileges. The exploitation of this issue could compromise the device's software, unauthorizedly modify configurations, access and alter sensitive data, or disrupt services.

Impact

Exploitation of this vulnerability could lead to unauthorized execution of commands with 'daemon' privileges, allowing attackers to modify configurations, access and alter sensitive data, disrupt services, and potentially compromise the device's software integrity.

Added: Feb 11, 2026, 3:41 PM

Updated: Feb 11, 2026, 3:41 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

2.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

7.4

remediation

0.0

relevance

2.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

METIS DFS Devices Web-Based Shell Vulnerability Allowing Arbitrary Command Execution

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating