CVE-2026-2250 identifies a critical security flaw in the METIS WIC product by METIS Cyberspace Technology SA, specifically affecting version oscore 2.1.234-r18. The vulnerability arises from the /dbviewer/ web endpoint being exposed without any authentication mechanism, allowing any remote attacker to access and export the internal telemetry SQLite database. This database contains sensitive operational data that could reveal internal system states or configurations. Compounding this issue, the application is configured with debug mode enabled, which causes malformed HTTP requests to trigger verbose Django framework tracebacks. These tracebacks disclose backend source code snippets, local file system paths, and system configuration details, providing attackers with valuable intelligence to facilitate further attacks or exploitation. The root cause is improper access control (CWE-284) and sensitive information exposure (CWE-215). The vulnerability requires no authentication or user interaction and can be exploited remotely over the network, making it highly accessible to attackers. Although no active exploits are currently known, the combination of unauthenticated data access and detailed error disclosures significantly raises the risk profile. The CVSS 3.1 score of 7.5 reflects a high severity rating, primarily due to the high confidentiality impact and ease of exploitation. The vulnerability affects operational telemetry data confidentiality but does not directly impact integrity or availability. Organizations deploying METIS WIC devices should urgently review their exposure of the /dbviewer/ endpoint, disable debug mode in production, and apply any available patches or mitigations once released.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive operational telemetry data collected by METIS WIC devices. Exposure of this data could lead to leakage of internal system states, operational metrics, or network configurations, which attackers could leverage for reconnaissance or to craft targeted attacks. The disclosure of backend source code and system paths via debug tracebacks further aids attackers in understanding the internal workings of the application, increasing the likelihood of successful exploitation of other vulnerabilities or unauthorized access. While the vulnerability does not directly affect system integrity or availability, the loss of confidentiality can have serious consequences, including regulatory non-compliance under GDPR if personal or sensitive data is indirectly exposed. Additionally, operational disruptions could occur if attackers use the disclosed information to escalate privileges or pivot within the network. Given the remote, unauthenticated nature of the exploit, the threat surface is broad, especially for organizations with internet-facing METIS WIC devices. This could impact critical infrastructure sectors in Europe that rely on METIS WIC for telemetry and operational monitoring, potentially undermining operational security and trust.

European organizations should immediately audit their METIS WIC deployments to identify any instances running version oscore 2.1.234-r18 or other vulnerable versions. The following specific mitigations are recommended: 1) Restrict access to the /dbviewer/ endpoint by implementing strong authentication controls and network segmentation to limit exposure only to trusted internal users. 2) Disable debug mode in all production environments to prevent verbose error messages and traceback disclosures. 3) Monitor network traffic for unusual access attempts to the /dbviewer/ endpoint and implement intrusion detection rules to alert on suspicious activity. 4) If possible, apply vendor patches or updates as soon as they become available; if no patches exist yet, consider temporary compensating controls such as web application firewalls (WAFs) to block unauthorized access. 5) Conduct a thorough review of telemetry data stored in the SQLite database to assess sensitivity and consider encrypting or anonymizing data where feasible. 6) Educate IT and security teams about the risks of exposing debug information and enforce secure development and deployment practices. 7) Regularly review and update access control policies to ensure endpoints are not inadvertently exposed without authentication.