CVE-2025-41733

Summary

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

Affected Software

VendorProductVersion RangeStatus
METZ CONNECTEnergy-Controlling EWIO2-M0.0.0 < 2.2.0affected
METZ CONNECTEnergy-Controlling EWIO2-M-BM0.0.0 < 2.2.0affected
METZ CONNECTEthernet-IO EWIO2-BM0.0.0 < 2.2.0affected

Weaknesses

  • CWE-305: CWE-305 Authentication Bypass by Primary Weakness

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References