CVE-2025-41734
published 2025-11-18CVE-2025-41734: An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.46%
36.4th percentile
An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metz-connect | ewio2-bm_firmware | < 2.2.0 | 2.2.0 |
| metz-connect | ewio2-m-bm_firmware | < 2.2.0 | 2.2.0 |
| metz-connect | ewio2-m_firmware | < 2.2.0 | 2.2.0 |
| metz_connect | energy-controlling_ewio2-m | >= 0.0.0 < 2.2.0 | 2.2.0 |
| metz_connect | energy-controlling_ewio2-m-bm | >= 0.0.0 < 2.2.0 | 2.2.0 |
| metz_connect | ethernet-io_ewio2-bm | >= 0.0.0 < 2.2.0 | 2.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2025-41734 is a PHP Remote File Inclusion (CWE-98) vulnerability on METZ CONNECT EWIO2 devices (firmware <2.2.0). Detect unauthenticated remote requests that supply attacker-controlled filenames to PHP include/require statements on the device's web interface. ↗
- →Monitor for unauthenticated POST requests to the EWIO2 commissioning wizard endpoint, which may indicate chained exploitation of CVE-2025-41733 (auth bypass) prior to CVE-2025-41734 (PHP RFI) to gain full device access. ↗
- →Alert on inbound HTTP requests to EWIO2 devices where URL or POST parameters contain path traversal sequences (e.g., '.../...//') targeting PHP filename parameters, indicative of CVE-2025-41736 chained with CVE-2025-41734. ↗
- →Detect unauthenticated HTTP GET requests to EWIO2 web server paths that return raw PHP source code, indicating webserver misconfiguration (CVE-2025-41737) that may be used for reconnaissance before exploiting CVE-2025-41734. ↗
- ·All EWIO2 firmware versions prior to 2.2.0 are vulnerable across all three hardware variants (EWIO2-M, EWIO2-M-BM, EWIO2-BM). Detection rules should target devices running firmware <2.2.0. ↗
- ·No known public exploitation has been reported at time of advisory publication; detection posture should be proactive rather than reactive. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w68v-cc7m-4xg9: An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices
ghsa_unreviewed·2025-11-18
CVE-2025-41734 [CRITICAL] CWE-98 GHSA-w68v-cc7m-4xg9: An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices
An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
CISA ICS
METZ CONNECT EWIO2
cisa_ics·2025-11-18·CVSS 9.8
[CRITICAL] METZ CONNECT EWIO2
ICS Advisory
##
METZ CONNECT EWIO2
Release DateNovember 18, 2025
Alert CodeICSA-25-322-05
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: METZ CONNECT
- Equipment: EWIO2
- Vulnerabilities: Authentication Bypass by Primary Weakness, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'), Unrestricted Upload of File with Dangerous Type, Path Traversal: '.../...//', Improper Access Control
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and control the device remotely or perform remote co
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-18
Published