METZ CONNECT EWIO2

Plan PatchCVSS 9.8ICS-CERT ICSA-25-322-05Nov 18, 2025

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A critical authentication bypass in the METZ CONNECT EWIO2 configuration API allows unauthenticated attackers with network access to gain administrative control. The vulnerability exists in the config API authentication mechanism, affecting EWIO2-M, EWIO2-M-BM, and EWIO2-BM devices running firmware versions below 2.2.0. An attacker can leverage this to change device configurations, manipulate operational data, disrupt services, and potentially render the device non-functional. The vendor has released firmware version 2.2.0 which fixes the authentication bypass.

What this means

What could happen

An unauthenticated attacker with network access can gain full administrative control of the EWIO2 device, allowing them to change operating parameters, redirect energy flows, or shut down the device completely, disrupting power distribution or monitoring.

Who's at risk

This vulnerability affects energy utilities and facility managers who operate METZ CONNECT EWIO2 series devices (Energy-Controlling EWIO2-M, EWIO2-M-BM, and Ethernet-IO EWIO2-BM) for energy monitoring and control. These devices are used in distribution networks and building energy management systems.

How it could be exploited

An attacker on the network sends a request to the EWIO2's configuration API without credentials and bypasses authentication, obtaining admin access. They can then issue commands to alter device settings, configurations, or operational state.

Prerequisites

Network access to the EWIO2 device (no credentials required)
EWIO2 firmware version below 2.2.0

remotely exploitableno authentication requiredlow complexitycritical CVSS score (9.8)affects energy infrastructureunauthenticated API access

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

Energy-Controlling EWIO2-M<2.2.02.2.0

Energy-Controlling EWIO2-M-BM<2.2.02.2.0

Ethernet-IO EWIO2-BM<2.2.02.2.0

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to EWIO2 devices by placing them behind a firewall and isolating them from business networks and the internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EWIO2-M, EWIO2-M-BM, and EWIO2-BM devices to firmware version 2.2.0 or later

Long-term hardening

0/1

HARDENINGIf remote access to EWIO2 devices is required, route traffic through a VPN with current security patches

CVEs (5)

CVE-2025-41733 CVE-2025-41734 CVE-2025-41735 CVE-2025-41736 CVE-2025-41737

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2e7d9417-ef55-4045-8e8e-3fd64acb62d1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.