CVE-2025-41735
published 2025-11-18CVE-2025-41735: A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.52%
39.9th percentile
A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metz-connect | ewio2-bm_firmware | < 2.2.0 | 2.2.0 |
| metz-connect | ewio2-m-bm_firmware | < 2.2.0 | 2.2.0 |
| metz-connect | ewio2-m_firmware | < 2.2.0 | 2.2.0 |
| metz_connect | energy-controlling_ewio2-m | >= 0.0.0 < 2.2.0 | 2.2.0 |
| metz_connect | energy-controlling_ewio2-m-bm | >= 0.0.0 < 2.2.0 | 2.2.0 |
| metz_connect | ethernet-io_ewio2-bm | >= 0.0.0 < 2.2.0 | 2.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unrestricted file upload attempts targeting METZ CONNECT EWIO2 devices — a low-privileged authenticated attacker can upload any file type to an arbitrary location via missing file-type validation in the PHP upload handler, leading to RCE. ↗
- →Monitor for file upload requests from low-privileged sessions to unexpected or arbitrary filesystem paths on EWIO2 devices running firmware versions prior to 2.2.0. ↗
- →Correlate CVE-2025-41735 (unrestricted upload) with CVE-2025-41736 (path traversal '...//') — an attacker may chain both to upload a malicious Python script to an arbitrary location via path traversal of the target filename in PHP. ↗
- →Alert on POST requests to the EWIO2 commissioning wizard endpoint from unauthenticated sources — may indicate chained exploitation starting with CVE-2025-41733 (auth bypass) to obtain credentials before exploiting CVE-2025-41735. ↗
- ·CVE-2025-41735 affects all METZ CONNECT EWIO2 firmware versions strictly below 2.2.0 across all three hardware variants (EWIO2-M, EWIO2-M-BM, EWIO2-BM); firmware 2.2.0 is the fixed version. ↗
- ·No known public exploitation of CVE-2025-41735 has been reported to CISA at time of advisory publication (November 18, 2025). ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8vvf-2g79-4gqm: A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution
ghsa_unreviewed·2025-11-18
CVE-2025-41735 [HIGH] CWE-434 GHSA-8vvf-2g79-4gqm: A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution
A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
CISA ICS
METZ CONNECT EWIO2
cisa_ics·2025-11-18·CVSS 9.8
[CRITICAL] METZ CONNECT EWIO2
ICS Advisory
##
METZ CONNECT EWIO2
Release DateNovember 18, 2025
Alert CodeICSA-25-322-05
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: METZ CONNECT
- Equipment: EWIO2
- Vulnerabilities: Authentication Bypass by Primary Weakness, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'), Unrestricted Upload of File with Dangerous Type, Path Traversal: '.../...//', Improper Access Control
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and control the device remotely or perform remote co
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-18
Published