CVE-2025-41736 is a high-severity remote code execution issue in METZ CONNECT EWIO2-related products. According to the CISA CSAF advisory, a low-privileged remote attacker can use path traversal in a PHP upload flow to upload or overwrite a Python script, leading to arbitrary code execution. METZ CONNECT states that SW-Version 2.2.0 or later remediates the issue and that no workaround offers equivalent protection.
CVE-2025-41734 is a critical unauthenticated local file inclusion issue in the php module used by METZ CONNECT EWIO2 devices. According to the CISA CSAF advisory, a remote attacker can execute arbitrary PHP files and obtain full access on affected devices. METZ CONNECT reports that SW-Version 2.2.0 or later remediates the issue, and the advisory notes that no workaround provides equivalent protection.
