cbcvebase.
CVE-2025-41733
published 2025-11-18

CVE-2025-41733: The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.58%
43.2th percentile
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

Affected

6 ranges
VendorProductVersion rangeFixed in
metz-connectewio2-bm_firmware< 2.2.02.2.0
metz-connectewio2-m-bm_firmware< 2.2.02.2.0
metz-connectewio2-m_firmware< 2.2.02.2.0
metz_connectenergy-controlling_ewio2-m>= 0.0.0 < 2.2.02.2.0
metz_connectenergy-controlling_ewio2-m-bm>= 0.0.0 < 2.2.02.2.0
metz_connectethernet-io_ewio2-bm>= 0.0.0 < 2.2.02.2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unauthenticated POST requests targeting the commissioning wizard endpoint on METZ CONNECT EWIO2 devices, which can be used to set root credentials without prior authentication
  • ·Vulnerability only exploitable on METZ CONNECT EWIO2 devices running firmware versions prior to 2.2.0; the commissioning wizard fails to check if the device is already initialized, allowing credential takeover
  • ·All hardware variants (EWIO2-M, EWIO2-M-BM, EWIO2-BM) running firmware below 2.2.0 are affected
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.