Critical METZ CONNECT Flaws (CVSS 9.8) Allow Unauthenticated RCE and Admin Takeover on Industrial Controllers

METZ CONNECT GmbH, in coordination with CERT@VDE, has issued an urgent security advisory warning of multiple critical vulnerabilities affecting its EWIO-2 series, including Energy-Controlling EWIO2-M, EWIO2-M-BM, and Ethernet-IO EWIO2-BM devices. The flaws—some scoring as high as CVSS 9.8—allow unauthenticated attackers to gain full administrative control, execute arbitrary code, manipulate data, or completely disable the device.

According to the advisory, “A critical authentication bypass in EWIO-2 allows unauthenticated attackers with network access to gain administrative control over the device.”

Once compromised, attackers can alter configurations, disrupt operational services, and even render the device unusable.

The advisory emphasizes the severity of the situation, noting that: “Due to these vulnerabilities an unauthenticated attacker can take over control of the device. The data integrity as well as the device availability could no longer be guaranteed.”

In industrial, energy control, and automation environments where EWIO-2 devices are commonly deployed, such a compromise could lead to operational outages, data manipulation, or cascading failures.

Breakdown of the Five Vulnerabilities

CVE-2025-41734 — Unauthenticated RCE via Arbitrary PHP Execution (CVSS 9.8)

A remote attacker can execute arbitrary PHP files on the device without authentication, immediately achieving full system access.

“An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.”

This is the most severe flaw and poses a direct, high-impact threat.

CVE-2025-41733 — Commissioning Wizard Allows Reset of Root Credentials (CVSS 9.8)

The device’s setup wizard does not verify whether initialization has already taken place. As a result:

“An unauthenticated remote attacker can construct POST requests to set root credentials.”

This allows attackers to simply assign themselves a new root password and take ownership of the device.

CVE-2025-41736 — Path Traversal Enables Python Script Overwrite & RCE (CVSS 8.8)

A low-privileged attacker can exploit a path traversal flaw to upload or overwrite Python scripts on the device:

“A low privileged remote attacker can upload a new or overwrite an existing python script… resulting in a remote code execution.”

This allows attackers to escalate privileges and run unauthorized code.

CVE-2025-41735 — Arbitrary File Upload to Any Location (CVSS 8.8)

A second upload vulnerability enables unrestricted file placement:

“A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.”

Used together, CVE-2025-41735 and -41736 create a powerful remote takeover chain.

CVE-2025-41737 — PHP Source Code Disclosure (CVSS 7.5)

Due to misconfigured web server settings: “An unauthenticated remote attacker is able to read the source of php modules.”

This allows adversaries to gather sensitive information and identify further attack paths.

Affected Products

All vulnerabilities affect EWIO-2 devices running firmware earlier than version 2.2.0, including:

• 110930 – Energy-Controlling EWIO2-M
• 110935 – Energy-Controlling EWIO2-M-BM
• 110904 – Ethernet-IO EWIO2-BM

Remediation

METZ CONNECT has released patched firmware:

• Firmware version 2.2.0

Organizations should schedule updates as soon as possible, particularly for devices exposed to internal or external networks.

Related Posts:

• Kaspersky Report: Energy Industry becomes the largest area affected by vulnerabilities in industrial automation systems
• PHP Everywhere WordPress Plugin Remote Code Execution Alert
• Multiple Vulnerabilities Discovered in PHP, Prompting Urgent Security Updates
• GitLab Releases Security Update to Patch XSS and Account Takeover Flaws