The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
The vulnerability results from the lack of verification of the device initialization state in the commissioning wizard mechanism (CWE-305: Authentication Bypass by Primary Weakness). An attacker can send properly crafted HTTP POST requests directly to the wizard endpoint, even if the device has been previously configured. As a result, it is possible to set arbitrary credentials for the root account without any prior authentication. The attack does not require user interaction or knowledge of existing credentials.
An attacker gains full administrative control over the device by taking over the root account, leading to violations of confidentiality, integrity, and availability of the system and the data it processes.
Apply patches available from the manufacturer in accordance with the references (https://certvde.com/de/advisories/VDE-2025-097). Until the fix is implemented, it is recommended to isolate devices from public networks, restrict access to the management interface only to trusted hosts, and monitor unauthorized POST requests to the configuration wizard endpoints.
Metz-Connect Ewio2-BM, Ewio2-M-BM, and Ewio2-M devices along with their corresponding firmware versions — specific versions indicated in the manufacturer references (VDE-2025-097).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMetz Connect Ewio2 Bm
HWMetz-Connectwszystkie wersjeMetz Connect Ewio2 Bm Firmware
OSMetz-Connect< 2.2.0Metz Connect Ewio2 M
HWMetz-Connectwszystkie wersjeMetz Connect Ewio2 M Bm
HWMetz-Connectwszystkie wersjeMetz Connect Ewio2 M Bm Firmware
OSMetz-Connect< 2.2.0Metz Connect Ewio2 M Firmware
OSMetz-Connect< 2.2.0
Related vulnerabilities
RCE przez nieuwierzytelnione wykonanie plików PHP w Metz-Connect EWIO2
A low privileged remote attacker can upload any file to an arbitrary location due to missing file check result...
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path trave...
Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules...