CVE 9.8 CRITICAL

Possible malfunction credential injection_CVE-2025-41733

November 18, 2025 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

AI Analysis

Unauthenticated remote attackers can set root credentials due to a lack of validation in the commissioning wizard

Basic Information

ID CVE-2025-41733

Source CERTVDE

Published Nov 18, 2025 at 10:17

Affected Product

Vendor METZ CONNECT

Product Energy-Controlling EWIO2-M

Version 0.0.0

Affected Versions METZ CONNECT Energy-Controlling EWIO2-M 0.0.0
METZ CONNECT Energy-Controlling EWIO2-M-BM 0.0.0
METZ CONNECT Ethernet-IO EWIO2-BM 0.0.0

CWE Classification

CWE-305

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor METZ CONNECT

Product Energy-Controlling EWIO2-M, Energy-Controlling EWIO2-M-BM, Ethernet-IO EWIO2-BM

Version 0.0.0

References

certvde.com /de/advisories/VDE-2025-097

{
    "lastseen": "",
    "description": "The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.",
    "published": "2025-11-18T10:17:46.326Z",
    "modified": "2025-11-18T10:17:46.326Z",
    "type": "cve",
    "title": "Possible malfunction credential injection",
    "source": "CERTVDE",
    "references": "https://certvde.com/de/advisories/VDE-2025-097",
    "id": "CVE-2025-41733",
    "bulletinFamily": "",
    "cwe": [
        "CWE-305"
    ],
    "cvelist": null,
    "sourceData": "METZ CONNECT Energy-Controlling EWIO2-M 0.0.0\nMETZ CONNECT Energy-Controlling EWIO2-M-BM 0.0.0\nMETZ CONNECT Ethernet-IO EWIO2-BM 0.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Energy-Controlling EWIO2-M",
    "version": "0.0.0",
    "vendor": "METZ CONNECT",
    "ai_description": "Unauthenticated remote attackers can set root credentials due to a lack of validation in the commissioning wizard",
    "ai_severity": "Critical",
    "ai_vendor": "METZ CONNECT",
    "ai_product": "Energy-Controlling EWIO2-M, Energy-Controlling EWIO2-M-BM, Ethernet-IO EWIO2-BM",
    "ai_version": "0.0.0",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply