METIS WIC devices are vulnerable to an unauthenticated remote code execution flaw that allows an attacker to gain full root-level control over the affected hardware.

This critical vulnerability exists because the web-based shell at the /console endpoint does not implement any authentication mechanisms. A remote, unauthenticated attacker can access this endpoint to execute arbitrary operating system commands with root (UID 0) privileges.

A successful exploit results in the total loss of confidentiality, integrity, and availability for the affected METIS WIC device. Attackers can modify system configurations, exfiltrate sensitive data, or disrupt critical device operations. The CVSS score of 9.8 reflects the extreme severity of this flaw, as it requires no user interaction and can be executed over the network.

Immediate Action: Update all METIS WIC devices to the latest firmware version provided by the vendor to disable or secure the /console endpoint.

Proactive Monitoring: Review web server access logs for any unauthorized requests directed at the /console URI and monitor for unusual outbound network traffic from these devices.

Compensating Controls: Restrict network access to the device management interface using a firewall or VPN, ensuring that the web interface is not exposed to the public internet.

Public Exploit Available: No

This vulnerability represents a significant risk to organizational infrastructure due to the provision of root-level access without authentication. IT administrators must prioritize the deployment of the vendor-supplied patch immediately. If patching is delayed, the devices should be isolated from the network to prevent remote exploitation.