cbcvebase.
CVE-2025-41736
published 2025-11-18

CVE-2025-41736: A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a…

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.63%
45.7th percentile
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.

Affected

6 ranges
VendorProductVersion rangeFixed in
metz-connectewio2-bm_firmware< 2.2.02.2.0
metz-connectewio2-m-bm_firmware< 2.2.02.2.0
metz-connectewio2-m_firmware< 2.2.02.2.0
metz_connectenergy-controlling_ewio2-m>= 0.0.0 < 2.2.02.2.0
metz_connectenergy-controlling_ewio2-m-bm>= 0.0.0 < 2.2.02.2.0
metz_connectethernet-io_ewio2-bm>= 0.0.0 < 2.2.02.2.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect path traversal patterns (e.g., '.../...//' sequences) in HTTP POST request filenames targeting PHP file upload endpoints on METZ CONNECT EWIO2 devices, which may indicate an attempt to overwrite or place a Python script in an arbitrary location for RCE.
  • Monitor for the specific path traversal pattern '.../...//' in HTTP request parameters or filenames on EWIO2 web interfaces, as this is the CWE-35 variant exploited by CVE-2025-41736.
  • Alert on file uploads containing Python script extensions (.py) via HTTP POST to EWIO2 PHP endpoints, especially where the target filename parameter contains directory traversal sequences.
  • ·CVE-2025-41736 affects METZ CONNECT EWIO2 firmware versions prior to 2.2.0 across all hardware variants (EWIO2-M, EWIO2-M-BM, EWIO2-BM). Exploitation requires low-privilege authenticated access (PR:L), not unauthenticated access.
  • ·This CVE is one of five related vulnerabilities (CVE-2025-41733 through CVE-2025-41737) affecting the same product; chaining with CVE-2025-41733 (auth bypass, CVSS 9.8) could allow unauthenticated exploitation of CVE-2025-41736.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.