CVE-2025-41736
published 2025-11-18CVE-2025-41736: A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.63%
45.7th percentile
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metz-connect | ewio2-bm_firmware | < 2.2.0 | 2.2.0 |
| metz-connect | ewio2-m-bm_firmware | < 2.2.0 | 2.2.0 |
| metz-connect | ewio2-m_firmware | < 2.2.0 | 2.2.0 |
| metz_connect | energy-controlling_ewio2-m | >= 0.0.0 < 2.2.0 | 2.2.0 |
| metz_connect | energy-controlling_ewio2-m-bm | >= 0.0.0 < 2.2.0 | 2.2.0 |
| metz_connect | ethernet-io_ewio2-bm | >= 0.0.0 < 2.2.0 | 2.2.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect path traversal patterns (e.g., '.../...//' sequences) in HTTP POST request filenames targeting PHP file upload endpoints on METZ CONNECT EWIO2 devices, which may indicate an attempt to overwrite or place a Python script in an arbitrary location for RCE. ↗
- →Monitor for the specific path traversal pattern '.../...//' in HTTP request parameters or filenames on EWIO2 web interfaces, as this is the CWE-35 variant exploited by CVE-2025-41736. ↗
- →Alert on file uploads containing Python script extensions (.py) via HTTP POST to EWIO2 PHP endpoints, especially where the target filename parameter contains directory traversal sequences. ↗
- ·CVE-2025-41736 affects METZ CONNECT EWIO2 firmware versions prior to 2.2.0 across all hardware variants (EWIO2-M, EWIO2-M-BM, EWIO2-BM). Exploitation requires low-privilege authenticated access (PR:L), not unauthenticated access. ↗
- ·This CVE is one of five related vulnerabilities (CVE-2025-41733 through CVE-2025-41737) affecting the same product; chaining with CVE-2025-41733 (auth bypass, CVSS 9.8) could allow unauthenticated exploitation of CVE-2025-41736. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gqmc-vx75-xcqg: A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resul
ghsa_unreviewed·2025-11-18
CVE-2025-41736 [HIGH] CWE-22 GHSA-gqmc-vx75-xcqg: A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resul
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.
CISA ICS
METZ CONNECT EWIO2
cisa_ics·2025-11-18·CVSS 9.8
[CRITICAL] METZ CONNECT EWIO2
ICS Advisory
##
METZ CONNECT EWIO2
Release DateNovember 18, 2025
Alert CodeICSA-25-322-05
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: METZ CONNECT
- Equipment: EWIO2
- Vulnerabilities: Authentication Bypass by Primary Weakness, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'), Unrestricted Upload of File with Dangerous Type, Path Traversal: '.../...//', Improper Access Control
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and control the device remotely or perform remote co
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-18
Published