cbcvebase.
CVE-2025-41735
published 2025-11-18

CVE-2025-41735: A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.52%
39.9th percentile
A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.

Affected

6 ranges
VendorProductVersion rangeFixed in
metz-connectewio2-bm_firmware< 2.2.02.2.0
metz-connectewio2-m-bm_firmware< 2.2.02.2.0
metz-connectewio2-m_firmware< 2.2.02.2.0
metz_connectenergy-controlling_ewio2-m>= 0.0.0 < 2.2.02.2.0
metz_connectenergy-controlling_ewio2-m-bm>= 0.0.0 < 2.2.02.2.0
metz_connectethernet-io_ewio2-bm>= 0.0.0 < 2.2.02.2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect unrestricted file upload attempts targeting METZ CONNECT EWIO2 devices — a low-privileged authenticated attacker can upload any file type to an arbitrary location via missing file-type validation in the PHP upload handler, leading to RCE.
  • Monitor for file upload requests from low-privileged sessions to unexpected or arbitrary filesystem paths on EWIO2 devices running firmware versions prior to 2.2.0.
  • Correlate CVE-2025-41735 (unrestricted upload) with CVE-2025-41736 (path traversal '...//') — an attacker may chain both to upload a malicious Python script to an arbitrary location via path traversal of the target filename in PHP.
  • Alert on POST requests to the EWIO2 commissioning wizard endpoint from unauthenticated sources — may indicate chained exploitation starting with CVE-2025-41733 (auth bypass) to obtain credentials before exploiting CVE-2025-41735.
  • ·CVE-2025-41735 affects all METZ CONNECT EWIO2 firmware versions strictly below 2.2.0 across all three hardware variants (EWIO2-M, EWIO2-M-BM, EWIO2-BM); firmware 2.2.0 is the fixed version.
  • ·No known public exploitation of CVE-2025-41735 has been reported to CISA at time of advisory publication (November 18, 2025).
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.