CVE-2025-41734 METZ CONNECT CVE debrief

Who should care

Operators, integrators, and maintainers of METZ CONNECT EWIO2-M, EWIO2-M-BM, and EWIO2-BM devices running firmware below 2.2.0, especially in OT/ICS, building automation, or energy-monitoring environments.

Technical summary

The supplied advisory identifies an unauthenticated remote attack path against the php module and lists affected METZ CONNECT product families and firmware releases below 2.2.0. The stated impact is arbitrary PHP file execution followed by full device compromise. The advisory’s remediation is to install SW-Version 2.2.0 or later; it does not describe an equivalent workaround.

Defensive priority

Immediate. This is a network-reachable, unauthenticated vulnerability with critical CVSS 9.8 impact and a vendor fix already available.

Recommended defensive actions

• Upgrade affected METZ CONNECT devices to SW-Version 2.2.0 or later as soon as possible.
• Inventory EWIO2-M, EWIO2-M-BM, and EWIO2-BM deployments and verify firmware versions before and after remediation.
• Prioritize patching for any exposed or remotely managed devices, especially those reachable from untrusted networks.
• Use compensating controls such as network segmentation and strict access restriction to reduce exposure until patching is complete.

Evidence notes

All substantive claims are taken from the supplied CISA CSAF advisory ICSA-25-322-05 and its referenced vendor materials. The advisory explicitly states the unauthenticated remote impact, names the affected METZ CONNECT product families, and identifies SW-Version 2.2.0 or later as the fix. The supplied enrichment does not indicate a KEV entry.

Official resources