PatchSiren cyber security CVE debrief
CVE-2025-41736 METZ CONNECT CVE debrief
CVE-2025-41736 is a high-severity remote code execution issue in METZ CONNECT EWIO2-related products. According to the CISA CSAF advisory, a low-privileged remote attacker can use path traversal in a PHP upload flow to upload or overwrite a Python script, leading to arbitrary code execution. METZ CONNECT states that SW-Version 2.2.0 or later remediates the issue and that no workaround offers equivalent protection.
- Vendor
- METZ CONNECT
- Product
- Hardware
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-11-18
- Original CVE updated
- 2025-11-18
- Advisory published
- 2025-11-18
- Advisory updated
- 2025-11-18
Who should care
Industrial control system operators, OT security teams, and administrators responsible for METZ CONNECT EWIO2-M, EWIO2-M-BM, and EWIO2-BM deployments, especially where affected firmware versions may be installed.
Technical summary
The advisory describes a server-side file handling weakness in which a low-privileged remote attacker can manipulate the target filename path in PHP to place or replace a Python script. Because the vulnerable behavior can lead to script execution, the impact is remote code execution with high confidentiality, integrity, and availability impact. The supplied advisory scope includes Firmware <2.2.0 on Energy-Controlling EWIO2-M, EWIO2-M-BM, and Ethernet-IO EWIO2-BM, with SW-Version 2.2.0 identified as the fixed release.
Defensive priority
High. This is network-reachable, requires only low privileges, and can result in full code execution on affected systems. In OT environments, that can translate into operational disruption, unauthorized control, or broader lateral movement risk.
Recommended defensive actions
- Upgrade affected METZ CONNECT systems to SW-Version 2.2.0 or later.
- Prioritize the update for any exposed or remotely managed EWIO2 deployments.
- Plan the update during the next maintenance window, as recommended by the vendor.
- Verify whether any EWIO2-M, EWIO2-M-BM, or EWIO2-BM systems are running firmware earlier than 2.2.0.
- Review access controls and administrative exposure around affected devices while patching is underway.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-25-322-05 for CVE-2025-41736 and the vendor remediation statement embedded in the source corpus. The source describes the issue as a path traversal in PHP that can be used to upload or overwrite a Python script, resulting in remote code execution. The supplied remediation states that SW-Version 2.2.0 or later fixes the issue and that no workaround offers equivalent protection. The provided timeline shows publication and modification on 2025-11-18T12:00:00.000Z, which is used here as the advisory date context.
Official resources
-
CVE-2025-41736 CVE record
CVE.org
-
CVE-2025-41736 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA published the advisory and the source corpus on 2025-11-18T12:00:00Z. The supplied enrichment does not mark this CVE as a Known Exploited Vulnerability.