CVE-2025-41733 CRITICAL

CVE-2025-41733: Possible malfunction credential injection

Vendor Metz Connect
Product Energy-Controlling EWIO2-M
Weakness CWE-305
Published November 18, 2025
Last update November 18, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

Key dates

02Disclosure timeline

November 18, 2025 CVE published
November 18, 2025 Record updated