An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
A vulnerability classified as CWE-98 (PHP Remote File Inclusion) allows an attacker to force execution of arbitrary PHP files through a vulnerable component of the device's web application. The attack is possible remotely over the network and does not require any privileges or user interaction. The correct path to a PHP file can be substituted or pointed out by the attacker in a way accepted by the application without verification of the requester's identity.
Attacker gains full access to the compromised device, which means the ability to read and modify configuration, take control of the device's industrial functions, and potentially use it as an entry point to the OT/IT network.
Patches available from the manufacturer should be applied according to references (https://certvde.com/de/advisories/VDE-2025-097). Until the fix is implemented, it is recommended to restrict network access to the web interface of devices only to trusted hosts and to isolate devices from the public internet.
Metz-Connect EWIO2-BM (firmware), Metz-Connect EWIO2-M-BM, Metz-Connect EWIO2-M (firmware) — versions indicated in manufacturer references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMetz Connect Ewio2 Bm
HWMetz-Connectwszystkie wersjeMetz Connect Ewio2 Bm Firmware
OSMetz-Connect< 2.2.0Metz Connect Ewio2 M
HWMetz-Connectwszystkie wersjeMetz Connect Ewio2 M Bm
HWMetz-Connectwszystkie wersjeMetz Connect Ewio2 M Bm Firmware
OSMetz-Connect< 2.2.0Metz Connect Ewio2 M Firmware
OSMetz-Connect< 2.2.0
Related vulnerabilities
Metz-Connect Ewio2: brak uwierzytelnienia przy ustawianiu hasła root
A low privileged remote attacker can upload any file to an arbitrary location due to missing file check result...
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path trave...
Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules...