CWE-305 AUTHENTICATION BYPASS BY PRIMARY WEAKNESS
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
METZ CONNECT has identified the following specific workarounds and mitigations users can apply to reduce risk:
(Product Group: METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-M-BM(All versions), METZ CONNECT Firmware (<2.2.0) installed on METZ CONNECT Hardware EWIO2-BM(All versions)): METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
The following product versions have been fixed:
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41733
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41734
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41735
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41736
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM is a fixed version for CVE-2025-41737
Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM is a fixed version for CVE-2025-41737
CVE-2025-41733
Metz Connect
EWIO2
9.8
Team82 is committed to privately reporting vulnerabilities to affected vendors in a coordinated, timely manner in order to ensure the safety of the cybersecurity ecosystem worldwide. To engage with the vendor and research community, Team82 invites you to download and share our Coordinated Disclosure Policy. Team82 will adhere to this reporting and disclosure process when we discover vulnerabilities in products and services.
Team82 has also made its public PGP Key available for the vendor and research community to securely and safely exchange vulnerability and research information with us.
