CVE-2025-41733

CRITICAL

Commissioning Wizard - Privilege Escalation

Title source: llm

Description

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

References (1)

[Third Party Advisory] https://certvde.com/de/advisories/VDE-2025-097

Scores

CVSS v3 9.8

EPSS 0.0013

EPSS Percentile 31.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-305

Status published

Affected Products (3)

metz-connect/ewio2-m_firmware < 2.2.0

metz-connect/ewio2-m-bm_firmware < 2.2.0

metz-connect/ewio2-bm_firmware < 2.2.0

Timeline

Published Nov 18, 2025

Tracked Since Feb 18, 2026