Summary
A critical authentication bypass in EWIO-2 allows unauthenticated attackers with network access to gain administrative control over the device. Once compromised, an attacker can change configurations, manipulate data, disrupt services, and potentially render the device non-functional.
Impact
Due to these vulnerabilities an unauthenticated attacker can take over control of the device. The data integrity as well as the device availability could no longer be guaranteed.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| 110930 | Energy-Controlling EWIO2-M | Firmware <2.2.0 |
| 110935 | Energy-Controlling EWIO2-M-BM | Firmware <2.2.0 |
| 110904 | Ethernet-IO EWIO2-BM | Firmware <2.2.0 |
Vulnerabilities
Expand / Collapse allAn unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.
A low privileged remote attacker can upload any file to an arbitrary location due to missing file check resulting in remote code execution.
Due to webserver misconfiguration an unauthenticated remote attacker is able to read the source of php modules.
Remediation
METZ CONNECT has released a new SW-Version 2.2.0. Install version 2.2.0 or later to remediate this vulnerability. Schedule the update at your next maintenance window. No workaround offers equivalent protection.
Acknowledgments
METZ CONNECT GmbH thanks the following parties for their efforts:
- CERT@VDE for coordination (see https://certvde.com )
- Noam Moshe, Tomer Goldschmidt from Claroty Team82 for for reporting
Revision History
| Version | Date | Summary |
|---|---|---|
| 1.0.0 | 18.11.2025 13:00 | Initial revision |