CRITICAL🇵🇱 Wersja polska

CVE-2025-41734

CVSS 9.8v3.1pub. 2025-11-18upd. 2025-11-21

An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.

🤖 AI Analysis
How it works

A vulnerability classified as CWE-98 (PHP Remote File Inclusion) allows an attacker to force execution of arbitrary PHP files through a vulnerable component of the device's web application. The attack is possible remotely over the network and does not require any privileges or user interaction. The correct path to a PHP file can be substituted or pointed out by the attacker in a way accepted by the application without verification of the requester's identity.

Impact

Attacker gains full access to the compromised device, which means the ability to read and modify configuration, take control of the device's industrial functions, and potentially use it as an entry point to the OT/IT network.

Mitigation & patch

Patches available from the manufacturer should be applied according to references (https://certvde.com/de/advisories/VDE-2025-097). Until the fix is implemented, it is recommended to restrict network access to the web interface of devices only to trusted hosts and to isolate devices from the public internet.

Who is affected

Metz-Connect EWIO2-BM (firmware), Metz-Connect EWIO2-M-BM, Metz-Connect EWIO2-M (firmware) — versions indicated in manufacturer references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Metz Connect Ewio2 Bm

    HW
    Metz-Connect
    wszystkie wersje
  • Metz Connect Ewio2 Bm Firmware

    OS
    Metz-Connect
    < 2.2.0
  • Metz Connect Ewio2 M

    HW
    Metz-Connect
    wszystkie wersje
  • Metz Connect Ewio2 M Bm

    HW
    Metz-Connect
    wszystkie wersje
  • Metz Connect Ewio2 M Bm Firmware

    OS
    Metz-Connect
    < 2.2.0
  • Metz Connect Ewio2 M Firmware

    OS
    Metz-Connect
    < 2.2.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-41733CRITICAL9.8PL ✓ten sam produkt

Metz-Connect Ewio2: brak uwierzytelnienia przy ustawianiu hasła root

CVE-2025-41735HIGH8.8ten sam produkt

A low privileged remote attacker can upload any file to an arbitrary location due to missing file check result...

CVE-2025-41736HIGH8.8ten sam produkt

A low privileged remote attacker can upload a new or overwrite an existing python script by using a path trave...

CVE-2025-41737HIGH7.5ten sam produkt

Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules...