CVE-2025-41733
9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| METZ CONNECT | Energy-Controlling EWIO2-M | 0.0.0 < 2.2.0 | affected |
| METZ CONNECT | Energy-Controlling EWIO2-M-BM | 0.0.0 < 2.2.0 | affected |
| METZ CONNECT | Ethernet-IO EWIO2-BM | 0.0.0 < 2.2.0 | affected |
Weaknesses
- CWE-305: CWE-305 Authentication Bypass by Primary Weakness
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.