CVE-2025-41737
published 2025-11-18CVE-2025-41737: Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules.
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.39%
31.0th percentile
Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metz-connect | ewio2-bm_firmware | < 2.2.0 | 2.2.0 |
| metz-connect | ewio2-m-bm_firmware | < 2.2.0 | 2.2.0 |
| metz-connect | ewio2-m_firmware | < 2.2.0 | 2.2.0 |
| metz_connect | energy-controlling_ewio2-m | >= 0.0.0 < 2.2.0 | 2.2.0 |
| metz_connect | energy-controlling_ewio2-m-bm | >= 0.0.0 < 2.2.0 | 2.2.0 |
| metz_connect | ethernet-io_ewio2-bm | >= 0.0.0 < 2.2.0 | 2.2.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hwv7-hhjx-9j44: Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules
ghsa_unreviewed·2025-11-18
CVE-2025-41737 [HIGH] CWE-284 GHSA-hwv7-hhjx-9j44: Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules
Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules.
CISA ICS
METZ CONNECT EWIO2
cisa_ics·2025-11-18·CVSS 9.8
[CRITICAL] METZ CONNECT EWIO2
ICS Advisory
##
METZ CONNECT EWIO2
Release DateNovember 18, 2025
Alert CodeICSA-25-322-05
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v4 9.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: METZ CONNECT
- Equipment: EWIO2
- Vulnerabilities: Authentication Bypass by Primary Weakness, Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion'), Unrestricted Upload of File with Dangerous Type, Path Traversal: '.../...//', Improper Access Control
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to bypass authentication and control the device remotely or perform remote co
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-11-18
Published