1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: METZ CONNECT
- Equipment: EWIO2
- Vulnerabilities: Authentication Bypass by Primary Weakness, Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’), Unrestricted Upload of File with Dangerous Type, Path Traversal: ‘…/…//’, Improper Access Control
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and control the device remotely or perform remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
METZ CONNECT reports that the following products are affected:
- METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M: All versions
- METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM: All versions
- METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM: All versions
3.2 Vulnerability Overview
3.2.1 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS CWE-305
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
CVE-2025-41733 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
A CVSS v4 score has also been calculated for CVE-2025-41733. A base score of 9.3 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories