CVE-2026-2250 is a vulnerability in the METIS WIC product by METIS Cyberspace Technology SA, specifically in version oscore 2.1.234-r18. The issue stems from the /dbviewer/ web endpoint being exposed without any authentication mechanism, allowing any remote attacker to access and export the internal telemetry SQLite database. This database contains sensitive operational data that could reveal system behavior and configurations. Compounding this, the application is configured with debug mode enabled, which causes malformed HTTP requests to trigger verbose Django framework tracebacks. These tracebacks disclose critical backend information including source code snippets, local file paths, and system configuration details, which can aid attackers in crafting more targeted attacks or escalating privileges. The vulnerability is classified under CWE-284 (Improper Access Control) and CWE-215 (Information Exposure Through Debug Information). The CVSS v3.1 base score is 7.5, reflecting a high severity due to the vulnerability's network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (C:H) but no impact on integrity or availability. Although no exploits have been reported in the wild yet, the exposure of sensitive data and debug information presents a significant risk. The vulnerability was published on February 11, 2026, and no patches are currently linked, indicating that organizations must implement interim mitigations. The affected product is likely used in environments requiring telemetry and operational monitoring, such as telecommunications or critical infrastructure sectors.

For European organizations, this vulnerability poses a significant risk to confidentiality of operational data, which could include sensitive telemetry and system behavior information. Exposure of such data can facilitate espionage, competitive intelligence gathering, or preparation for more damaging attacks. The debug mode information disclosure further increases risk by revealing backend source code and system details, potentially enabling attackers to identify additional vulnerabilities or misconfigurations. Organizations relying on METIS WIC devices in critical sectors like telecommunications, energy, or government infrastructure could face operational risks if attackers leverage this vulnerability for reconnaissance or lateral movement. The lack of authentication means attackers can exploit this remotely without credentials, increasing the attack surface. Although integrity and availability are not directly impacted, the confidentiality breach alone can have severe regulatory and reputational consequences under European data protection laws such as GDPR. Additionally, the exposure of internal system details may lead to targeted attacks against European networks using these devices.

1. Immediately disable debug mode in the METIS WIC application configuration to prevent verbose error messages and traceback disclosures. 2. Restrict access to the /dbviewer/ endpoint by implementing strong authentication mechanisms, such as multi-factor authentication or integration with enterprise identity providers. 3. Use network segmentation and firewall rules to limit access to the management interfaces of METIS WIC devices only to trusted administrative networks. 4. Monitor network traffic and logs for any unauthorized access attempts to the /dbviewer/ endpoint or unusual export activity of telemetry data. 5. Engage with METIS Cyberspace Technology SA to obtain patches or updates addressing this vulnerability and apply them promptly once available. 6. Conduct a thorough security review of all METIS WIC deployments to identify any other misconfigurations or exposure risks. 7. Implement intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability. 8. Educate operational and security teams about the risks of running production systems in debug mode and enforce secure configuration baselines.