Ewio2 Bm Firmware

ewio2-bm_firmware

Vendor: Metz Connect • 5 CVEs

CVEs (5)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-41737 1Metz Connect 3Ewio2 Bm Firmware Ewio2 M Bm FirmwareEwio2 M Firmware Nov 21, 2025 Nov 18, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules.
CVE-2025-41736 1Metz Connect 3Ewio2 Bm Firmware Ewio2 M Bm FirmwareEwio2 M Firmware Nov 21, 2025 Nov 18, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.
CVE-2025-41735 1Metz Connect 3Ewio2 Bm Firmware Ewio2 M Bm FirmwareEwio2 M Firmware Nov 21, 2025 Nov 18, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
CVE-2025-41734 1Metz Connect 3Ewio2 Bm Firmware Ewio2 M Bm FirmwareEwio2 M Firmware Nov 21, 2025 Nov 18, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
CVE-2025-41733 1Metz Connect 3Ewio2 Bm Firmware Ewio2 M Bm FirmwareEwio2 M Firmware Nov 21, 2025 Nov 18, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.