Multiple vulnerabilities reported in METZ CONNECT EWIO2 Industrial Control Systems
Take action: Make sure your METZ CONNECT EWIO2 devices are isolated from the internet and only accessible from trusted networks. Then plan a patch cycle to upgrade to firmware version 2.2.0 or later.
Learn More
METZ CONNECT has released a security advisory patching multiple critical vulnerabilities affecting its EWIO2 series of industrial control system devices, including the EWIO2-M, EWIO2-M-BM, and EWIO2-BM hardware platforms. These flaws enable unauthenticated remote attackers to bypass authentication mechanisms, execute arbitrary code, and gain complete control over affected devices.
Vulnerabilities summary:
- CVE-2025-41733 (CVSS score 9.8) - Authentication bypass vulnerability in the commissioning wizard that allows unauthenticated remote attackers to set root credentials by constructing malicious POST requests without validating device initialization status
- CVE-2025-41734 (CVSS score 9.8) - PHP remote file inclusion flaw enabling unauthenticated attackers to execute arbitrary PHP files and gain full device access through improper control of filename handling in PHP include/require statements
- CVE-2025-41735 (CVSS score 8.8) - Unrestricted file upload vulnerability allowing low-privileged remote attackers to upload dangerous file types to arbitrary locations due to missing file validation checks, resulting in remote code execution capabilities
- CVE-2025-41736 (CVSS score 8.8) - Path traversal vulnerability permitting low-privileged attackers to upload new or overwrite existing Python scripts using directory traversal sequences in PHP target filenames, leading to remote code execution
- CVE-2025-41737 (CVSS score 7.5) - Webserver misconfiguration allowing unauthenticated remote attackers to read PHP module source code due to improper access control implementation
Affected versions are all METZ CONNECT firmware versions prior to 2.2.0 installed on EWIO2-M, EWIO2-M-BM, and EWIO2-BM hardware.
METZ CONNECT has released firmware version 2.2.0 to patch all five vulnerabilities across the entire EWIO2 product line. The vendor strongly recommends that all users upgrade to firmware 2.2.0 or later, scheduling updates during the next available maintenance window. No workarounds provide equivalent protection to the firmware update.
