cbcvebase.
CVE-2025-41734
published 2025-11-18

CVE-2025-41734: An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.46%
36.4th percentile
An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.

Affected

6 ranges
VendorProductVersion rangeFixed in
metz-connectewio2-bm_firmware< 2.2.02.2.0
metz-connectewio2-m-bm_firmware< 2.2.02.2.0
metz-connectewio2-m_firmware< 2.2.02.2.0
metz_connectenergy-controlling_ewio2-m>= 0.0.0 < 2.2.02.2.0
metz_connectenergy-controlling_ewio2-m-bm>= 0.0.0 < 2.2.02.2.0
metz_connectethernet-io_ewio2-bm>= 0.0.0 < 2.2.02.2.0

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2025-41734 is a PHP Remote File Inclusion (CWE-98) vulnerability on METZ CONNECT EWIO2 devices (firmware <2.2.0). Detect unauthenticated remote requests that supply attacker-controlled filenames to PHP include/require statements on the device's web interface.
  • Monitor for unauthenticated POST requests to the EWIO2 commissioning wizard endpoint, which may indicate chained exploitation of CVE-2025-41733 (auth bypass) prior to CVE-2025-41734 (PHP RFI) to gain full device access.
  • Alert on inbound HTTP requests to EWIO2 devices where URL or POST parameters contain path traversal sequences (e.g., '.../...//') targeting PHP filename parameters, indicative of CVE-2025-41736 chained with CVE-2025-41734.
  • Detect unauthenticated HTTP GET requests to EWIO2 web server paths that return raw PHP source code, indicating webserver misconfiguration (CVE-2025-41737) that may be used for reconnaissance before exploiting CVE-2025-41734.
  • ·All EWIO2 firmware versions prior to 2.2.0 are vulnerable across all three hardware variants (EWIO2-M, EWIO2-M-BM, EWIO2-BM). Detection rules should target devices running firmware <2.2.0.
  • ·No known public exploitation has been reported at time of advisory publication; detection posture should be proactive rather than reactive.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.