CVE-2025-41733

Published: Nov 18, 2025Modified: Nov 21, 2025

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: info@cert.vde.com (Secondary)

Description

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

Affected (3)

Products: Metz Connect: Ewio2 M Firmware, Ewio2 M Bm Firmware, Ewio2 Bm Firmware

3 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Metz Connect Ewio2 M Firmware	Before 2.2.0

Running on/with	Platform Versions
Metz Connect Ewio2 M	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Metz Connect Ewio2 M Bm Firmware	Before 2.2.0

Running on/with	Platform Versions
Metz Connect Ewio2 M Bm	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Metz Connect Ewio2 Bm Firmware	Before 2.2.0

Running on/with	Platform Versions
Metz Connect Ewio2 Bm	All versions

Related CWEs

CWE-305

Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

References (1)

https://certvde.com/de/advisories/VDE-2025-097

Source: info@cert.vde.com

Third Party Advisory

Timeline

No history available yet.