VDE-2025-097

Vulnerability from csaf_metzconnectgmbh - Published: 2025-11-18 12:00 - Updated: 2025-11-18 12:00
Summary
METZ CONNECT: Config API – Authentication bypass leads to admin takeover in EWIO2 series
Notes
Summary: A critical authentication bypass in EWIO-2 allows unauthenticated attackers with network access to gain administrative control over the device. Once compromised, an attacker can change configurations, manipulate data, disrupt services, and potentially render the device non-functional.
Impact: Due to these vulnerabilities an unauthenticated attacker can take over control of the device. The data integrity as well as the device availability could no longer be guaranteed.
Remediation: METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
Product Description: Compact Ethernet I/O controller that bridges field signals to IP networks. It acts as a Modbus TCP or BACnet/IP server (plus Modbus RTU for field devices) and includes a web-based Node‑RED environment for simple logic, visualization, and data logging—ideal for building and industrial automation.

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

CWE-305 - Authentication Bypass by Primary Weakness
Vendor Fix METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
Affected products
Product Identifier Version Remediation
Unresolved product id: CSAFPID-32001
Unresolved product id: CSAFPID-32002
Unresolved product id: CSAFPID-32003
Product Identifier Version Remediation
Unresolved product id: CSAFPID-31001
Unresolved product id: CSAFPID-31002
Unresolved product id: CSAFPID-31003

An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.

CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
Vendor Fix METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
Affected products
Product Identifier Version Remediation
Unresolved product id: CSAFPID-32001
Unresolved product id: CSAFPID-32002
Unresolved product id: CSAFPID-32003
Product Identifier Version Remediation
Unresolved product id: CSAFPID-31001
Unresolved product id: CSAFPID-31002
Unresolved product id: CSAFPID-31003

A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.

CWE-434 - Unrestricted Upload of File with Dangerous Type
Vendor Fix METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
Affected products
Product Identifier Version Remediation
Unresolved product id: CSAFPID-32001
Unresolved product id: CSAFPID-32002
Unresolved product id: CSAFPID-32003
Product Identifier Version Remediation
Unresolved product id: CSAFPID-31001
Unresolved product id: CSAFPID-31002
Unresolved product id: CSAFPID-31003

A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.

CWE-35 - Path Traversal: '.../...//'
Vendor Fix METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
Affected products
Product Identifier Version Remediation
Unresolved product id: CSAFPID-32001
Unresolved product id: CSAFPID-32002
Unresolved product id: CSAFPID-32003
Product Identifier Version Remediation
Unresolved product id: CSAFPID-31001
Unresolved product id: CSAFPID-31002
Unresolved product id: CSAFPID-31003

Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules.

CWE-284 - Improper Access Control
Vendor Fix METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
Affected products
Product Identifier Version Remediation
Unresolved product id: CSAFPID-32001
Unresolved product id: CSAFPID-32002
Unresolved product id: CSAFPID-32003
Product Identifier Version Remediation
Unresolved product id: CSAFPID-31001
Unresolved product id: CSAFPID-31002
Unresolved product id: CSAFPID-31003
Acknowledgments
CERT@VDE certvde.com
Claroty Team82 Noam Moshe Tomer Goldschmidt

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      },
      {
        "names": [
          "Noam Moshe",
          "Tomer Goldschmidt"
        ],
        "organization": "Claroty Team82",
        "summary": "for reporting"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "A critical authentication bypass in EWIO-2 allows unauthenticated attackers with network access to gain administrative control over the device. Once compromised, an attacker can change configurations, manipulate data, disrupt services, and potentially render the device non-functional.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "Due to these vulnerabilities an unauthenticated attacker can take over control of the device. The data integrity as well as the device availability could no longer be guaranteed.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.",
        "title": "Remediation"
      },
      {
        "category": "description",
        "text": "Compact Ethernet I/O controller that bridges field signals to IP networks. It acts as a Modbus TCP or BACnet/IP server (plus Modbus RTU for field devices) and includes a web-based Node\u2011RED environment for simple logic, visualization, and data logging\u2014ideal for building and industrial automation.",
        "title": "Product Description"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@metz-connect.com",
      "name": "METZ CONNECT GmbH",
      "namespace": "https://www.metz-connect.com/security/"
    },
    "references": [
      {
        "category": "external",
        "summary": "Ethernet-IO BACnet / Modbus No. 110904 ",
        "url": "https://www.metz-connect.com/home/produkte/c-logline/i-o-komponenten/ethernet-i-os.69.de.html?id=110904"
      },
      {
        "category": "external",
        "summary": "Energy-Controlling M-Bus No. 110930 ",
        "url": "https://www.metz-connect.com/home/produkte/c-logline/energie-controlling/datenlogger.6a.de.html?id=110930"
      },
      {
        "category": "external",
        "summary": "Energy-Controlling BACnet / Modbus No. 110935 ",
        "url": "https://www.metz-connect.com/home/produkte/c-logline/energie-controlling/datenlogger.6a.de.html?id=110935"
      },
      {
        "category": "self",
        "summary": "VDE-2025-097: METZ CONNECT: Config API \u2013 Authentication bypass leads to admin takeover in EWIO2 series - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2025-097"
      },
      {
        "category": "self",
        "summary": "VDE-2025-097: METZ CONNECT: Config API \u2013 Authentication bypass leads to admin takeover in EWIO2 series - CSAF",
        "url": "https://metz-connect.csaf-tp.certvde.com/.well-known/csaf/white/2025/vde-2025-097.json"
      },
      {
        "category": "external",
        "summary": "METZ CONNECT advisory overview at CERT@VDE",
        "url": "https://certvde.com/de/advisories/vendor/metz-connect/"
      }
    ],
    "title": "METZ CONNECT: Config API \u2013 Authentication bypass leads to admin takeover in EWIO2 series",
    "tracking": {
      "aliases": [
        "VDE-2025-097"
      ],
      "current_release_date": "2025-11-18T12:00:00.000Z",
      "generator": {
        "date": "2025-11-14T14:54:22.879Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.38"
        }
      },
      "id": "VDE-2025-097",
      "initial_release_date": "2025-11-18T12:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-11-18T12:00:00.000Z",
          "number": "1.0.0",
          "summary": "Initial revision"
        }
      ],
      "status": "final",
      "version": "1.0.0"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "branches": [
                  {
                    "category": "product_name",
                    "name": "EWIO2-M",
                    "product": {
                      "name": "Energy-Controlling EWIO2-M",
                      "product_id": "CSAFPID-11001",
                      "product_identification_helper": {
                        "model_numbers": [
                          "110930"
                        ]
                      }
                    }
                  },
                  {
                    "category": "product_name",
                    "name": "EWIO2-M-BM",
                    "product": {
                      "name": "Energy-Controlling EWIO2-M-BM",
                      "product_id": "CSAFPID-11002",
                      "product_identification_helper": {
                        "model_numbers": [
                          "110935"
                        ]
                      }
                    }
                  }
                ],
                "category": "product_family",
                "name": "Energy-Controlling"
              },
              {
                "branches": [
                  {
                    "category": "product_name",
                    "name": "EWIO2-BM",
                    "product": {
                      "name": "Ethernet-IO EWIO2-BM",
                      "product_id": "CSAFPID-11003",
                      "product_identification_helper": {
                        "model_numbers": [
                          "110904 "
                        ]
                      }
                    }
                  }
                ],
                "category": "product_family",
                "name": "Ethernet-IO"
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2.2.0",
                "product": {
                  "name": "Firmware \u003c2.2.0",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version",
                "name": "2.2.0",
                "product": {
                  "name": "Firmware 2.2.0",
                  "product_id": "CSAFPID-22001"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "METZ CONNECT"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ],
        "summary": "Affected products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "summary": "Fixed products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c2.2.0 installed on Energy-Controlling EWIO2-M",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c2.2.0 installed on Energy-Controlling EWIO2-M-BM",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c2.2.0 installed on Ethernet-IO EWIO2-BM",
          "product_id": "CSAFPID-31003"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11003"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.2.0 installed on Energy-Controlling EWIO2-M",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.2.0 installed on Energy-Controlling EWIO2-M-BM",
          "product_id": "CSAFPID-32002"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 2.2.0 installed on Ethernet-IO EWIO2-BM",
          "product_id": "CSAFPID-32003"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11003"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-41733",
      "cwe": {
        "id": "CWE-305",
        "name": "Authentication Bypass by Primary Weakness"
      },
      "notes": [
        {
          "category": "description",
          "text": "The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "Possible malfunction credential injection"
    },
    {
      "cve": "CVE-2025-41734",
      "cwe": {
        "id": "CWE-98",
        "name": "Improper Control of Filename for Include/Require Statement in PHP Program (\u0027PHP Remote File Inclusion\u0027)"
      },
      "notes": [
        {
          "category": "description",
          "text": "An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "Bug #69948 path/domain are not sanitized in setcookie.",
          "url": "https://bugs.php.net/bug.php?id=69948"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 9.8,
            "environmentalSeverity": "CRITICAL",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 9.8,
            "temporalSeverity": "CRITICAL",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "Unauthenticated Local File Inclusion in php module"
    },
    {
      "cve": "CVE-2025-41735",
      "cwe": {
        "id": "CWE-434",
        "name": "Unrestricted Upload of File with Dangerous Type"
      },
      "notes": [
        {
          "category": "description",
          "text": "A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "Possible arbitrary file upload"
    },
    {
      "cve": "CVE-2025-41736",
      "cwe": {
        "id": "CWE-35",
        "name": "Path Traversal: \u0027.../...//\u0027"
      },
      "notes": [
        {
          "category": "description",
          "text": "A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution. ",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.8,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "temporalScore": 8.8,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "Possible arbitrary code execution"
    },
    {
      "cve": "CVE-2025-41737",
      "cwe": {
        "id": "CWE-284",
        "name": "Improper Access Control"
      },
      "notes": [
        {
          "category": "description",
          "text": "Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules. ",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002",
          "CSAFPID-32003"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002",
          "CSAFPID-31003"
        ]
      },
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 7.5,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "temporalScore": 7.5,
            "temporalSeverity": "HIGH",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002",
            "CSAFPID-31003"
          ]
        }
      ],
      "title": "Improper access control via php endpoint "
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…