Critical 2025 METZ CONNECT EWIO2 Vulnerabilities: Auth Bypass and RCE Expose Industrial Control Risks
Executive Summary
In November 2025, multiple critical vulnerabilities were disclosed in METZ CONNECT EWIO2 industrial control devices, enabling remote attackers to bypass authentication and gain full control, execute arbitrary code, and read sensitive device information. The flaws include authentication bypass (CVE-2025-41733), PHP remote file inclusion (CVE-2025-41734), unrestricted file upload (CVE-2025-41735), path traversal (CVE-2025-41736), and improper access control (CVE-2025-41737), with CVSS v4 scores ranging from 8.7 to 9.3. Affected devices are used globally in critical manufacturing environments, and exploitation could trigger operational disruption or unauthorized control.
This incident is highly relevant as it targets the operational technology (OT) sector—a high-value, often less-protected attack surface increasingly sought after by threat actors. As convergence between IT and OT grows, unpatched, internet-exposed devices in critical infrastructure remain susceptible to devastating attacks, underscoring urgent need for robust patching, segmentation, and proactive defense.
Why This Matters Now
These vulnerabilities highlight escalating risks to industrial and energy sectors, where sophisticated cyberattacks could severely impact safety and essential services. With no public exploitation yet but widespread global deployment, prompt patching and strong defensive measures are imperative to prevent high-impact attacks on critical infrastructure.
Attack Path Analysis
An unauthenticated attacker exploited exposed web interfaces on vulnerable EWIO2 devices to bypass authentication, gaining privileged access via configuration API flaws. By leveraging file upload and path traversal vulnerabilities, the attacker achieved remote code execution and escalated privileges. The attacker then moved laterally across networked devices in the environment, deploying additional payloads. Command and control was established to maintain persistent access and issue instructions, with outbound connections enabling communication to the attacker's servers. Sensitive data was exfiltrated through these channels, and attacker actions could result in device manipulation, operational disruption, or further malware propagation.
Kill Chain Progression
Initial Compromise
Description
The attacker remotely accessed exposed EWIO2 device interfaces, exploiting the authentication bypass (CVE-2025-41733) to set root credentials and gain initial foothold.
Related CVEs
CVE-2025-41733
CVSS 9.8The commissioning wizard on METZ CONNECT EWIO2 devices does not validate if the device is already initialized, allowing an unauthenticated remote attacker to set root credentials.
Affected Products:
METZ CONNECT EWIO2-M – < 2.2.0
METZ CONNECT EWIO2-M-BM – < 2.2.0
METZ CONNECT EWIO2-BM – < 2.2.0
Exploit Status:
no public exploitCVE-2025-41734
CVSS 9.8An unauthenticated remote attacker can execute arbitrary PHP files and gain full access to METZ CONNECT EWIO2 devices.
Affected Products:
METZ CONNECT EWIO2-M – < 2.2.0
METZ CONNECT EWIO2-M-BM – < 2.2.0
METZ CONNECT EWIO2-BM – < 2.2.0
Exploit Status:
no public exploitCVE-2025-41735
CVSS 8.8A low-privileged remote attacker can upload any file to an arbitrary location due to missing file checks, resulting in remote code execution on METZ CONNECT EWIO2 devices.
Affected Products:
METZ CONNECT EWIO2-M – < 2.2.0
METZ CONNECT EWIO2-M-BM – < 2.2.0
METZ CONNECT EWIO2-BM – < 2.2.0
Exploit Status:
no public exploitCVE-2025-41736
CVSS 8.8A low-privileged remote attacker can upload or overwrite existing Python scripts by exploiting path traversal in PHP, leading to remote code execution on METZ CONNECT EWIO2 devices.
Affected Products:
METZ CONNECT EWIO2-M – < 2.2.0
METZ CONNECT EWIO2-M-BM – < 2.2.0
METZ CONNECT EWIO2-BM – < 2.2.0
Exploit Status:
no public exploitCVE-2025-41737
CVSS 7.5Due to webserver misconfiguration, an unauthenticated remote attacker can read the source of PHP modules on METZ CONNECT EWIO2 devices.
Affected Products:
METZ CONNECT EWIO2-M – < 2.2.0
METZ CONNECT EWIO2-M-BM – < 2.2.0
METZ CONNECT EWIO2-BM – < 2.2.0
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Valid Accounts: Default Accounts
Network Sniffing
Process Injection
Server Software Component: Web Shell
Command and Scripting Interpreter: Python
OS Credential Dumping
File and Directory Permissions Modification
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Authentication and Access Control Mechanisms
Control ID: 8.2.2
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Art. 21
NYDFS 23 NYCRR 500 – Cybersecurity Policy and Access Privileges
Control ID: 500.03 & 500.07
DORA (EU Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 10(1)
CISA ZTMM 2.0 – Zero Trust Device and App Validation
Control ID: IDENTIFY - Device and Application Trust
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Critical Manufacturing
METZ CONNECT EWIO2 vulnerabilities enable remote code execution and authentication bypass in industrial control systems, critically compromising manufacturing operations and safety.
Utilities
Energy-controlling EWIO2 devices face authentication bypass and remote exploitation risks, threatening power grid stability and utility infrastructure through industrial control vulnerabilities.
Oil/Energy/Solar/Greentech
Industrial control system vulnerabilities in EWIO2 energy controllers expose renewable and traditional energy facilities to remote attacks and operational disruption.
Industrial Automation
Multiple critical vulnerabilities in EWIO2 Ethernet-IO devices allow unauthenticated remote access, compromising automated industrial processes and control system integrity.
Sources
- METZ CONNECT EWIO2https://www.cisa.gov/news-events/ics-advisories/icsa-25-322-05Verified
- CERT VDE Advisory VDE-2025-097https://certvde.com/de/advisories/VDE-2025-097Verified
- NVD - CVE-2025-41733https://nvd.nist.gov/vuln/detail/CVE-2025-41733Verified
- NVD - CVE-2025-41734https://nvd.nist.gov/vuln/detail/CVE-2025-41734Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, east-west traffic controls, inline threat prevention, and robust egress security could have prevented external exploitation, restricted privilege escalation, detected lateral movement, and stopped data exfiltration from compromised EWIO2 devices.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized access to device management APIs from untrusted sources.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks exploit signatures and malicious payloads targeting device firmware.
Control: East-West Traffic Security
Mitigation: Restricts the attacker's ability to move laterally across the environment.
Control: Egress Security & Policy Enforcement
Mitigation: Blocks suspicious external communications and unknown destinations.
Control: Encrypted Traffic (HPE)
Mitigation: Ensures data-in-transit is encrypted and prevents packet sniffing or unauthorized egress.
Rapidly detects and alerts on abnormal device behavior or attempted destructive actions.
Impact at a Glance
Affected Business Functions
- Industrial Control Systems Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive operational data due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to isolate OT and ICS endpoints from untrusted networks and limit management interface exposure.
- • Enforce east-west traffic controls and microsegmentation to restrict lateral movement between devices and sensitive workloads.
- • Deploy inline IPS and active threat detection to identify and block exploitation attempts targeting known device vulnerabilities.
- • Apply strict egress filtering and encrypted traffic enforcement to prevent unauthorized outbound connections and exfiltration.
- • Maintain continuous visibility and anomaly response across all cloud and hybrid environments to enable fast detection and mitigation of malicious activity.
