CVE-2025-41733
published 2025-11-18CVE-2025-41733: The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST…
PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.58%
43.2th percentile
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metz-connect | ewio2-bm_firmware | < 2.2.0 | 2.2.0 |
| metz-connect | ewio2-m-bm_firmware | < 2.2.0 | 2.2.0 |
| metz-connect | ewio2-m_firmware | < 2.2.0 | 2.2.0 |
| metz_connect | energy-controlling_ewio2-m | >= 0.0.0 < 2.2.0 | 2.2.0 |
| metz_connect | energy-controlling_ewio2-m-bm | >= 0.0.0 < 2.2.0 | 2.2.0 |
| metz_connect | ethernet-io_ewio2-bm | >= 0.0.0 < 2.2.0 | 2.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests targeting the commissioning wizard endpoint on METZ CONNECT EWIO2 devices, which can be used to set root credentials without prior authentication ↗
- ·Vulnerability only exploitable on METZ CONNECT EWIO2 devices running firmware versions prior to 2.2.0; the commissioning wizard fails to check if the device is already initialized, allowing credential takeover ↗
- ·All hardware variants (EWIO2-M, EWIO2-M-BM, EWIO2-BM) running firmware below 2.2.0 are affected ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rg84-wv55-qxqc: The commissioning wizard on the affected devices does not validate if the device is already initialized
ghsa_unreviewed·2025-11-18
CVE-2025-41733 [CRITICAL] CWE-305 GHSA-rg84-wv55-qxqc: The commissioning wizard on the affected devices does not validate if the device is already initialized
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
CISA ICS
METZ CONNECT EWIO2
cisa_ics·2025-11-18·CVSS 9.8
[CRITICAL] METZ CONNECT EWIO2
ICS Advisory
##
METZ CONNECT EWIO2
Release DateNovember 18, 2025
Alert CodeICSA-25-322-05
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: METZ CONNECT
- Equipment: EWIO2
- Vulnerabilities: Authentication Bypass by Primary Weakness, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'), Unrestricted Upload of File with Dangerous Type, Path Traversal: '.../...//', Improper Access Control
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and control the device remotely or perform remote co
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-18
Published