CVE-2025-41710 identifies a vulnerability in the Janitza UMG 96RM-E 24V(5222063) energy meter device, specifically due to the presence of hard-coded credentials embedded within the device firmware or software. These credentials enable unauthenticated remote attackers to gain access to an FTP server that is activated by default or previously enabled on the device. The FTP server grants limited read and write privileges, allowing attackers to potentially read sensitive configuration or measurement data and write files that could alter device behavior or facilitate further attacks. The vulnerability is classified under CWE-798, which concerns the use of hard-coded credentials that cannot be changed by the user, representing a fundamental security design flaw. The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited impact on confidentiality and integrity but no impact on availability. The vulnerability affects version 0.0 of the product, with no patches currently available and no known exploits in the wild. The presence of hard-coded credentials means that any attacker who can reach the device's FTP service can attempt to authenticate using these credentials, bypassing normal authentication mechanisms. This can lead to unauthorized data access and potential manipulation of device files, which may affect operational integrity or provide a foothold for lateral movement within industrial or critical infrastructure networks.

The primary impact of this vulnerability is unauthorized access to the FTP server on the Janitza UMG 96RM-E device, which could lead to limited disclosure of sensitive operational data and unauthorized modification of files. While the FTP access is limited in privileges, attackers could leverage this foothold to gather intelligence about the device and network, potentially facilitating further attacks or disruptions. In industrial or critical infrastructure environments where these devices are deployed, such unauthorized access could undermine trust in measurement data, affect operational decisions, or serve as an entry point for broader network compromise. The lack of required authentication and user interaction makes exploitation relatively straightforward for attackers with network access. However, the impact on availability is negligible, and the confidentiality and integrity impacts are limited but non-trivial. Organizations relying on these devices for energy monitoring or management could face operational risks and compliance issues if the vulnerability is exploited.

To mitigate this vulnerability, organizations should first restrict network access to the Janitza UMG 96RM-E devices, ensuring that the FTP service is not exposed to untrusted networks or the internet. Network segmentation and firewall rules should be implemented to limit access only to authorized management stations. If possible, disable the FTP server on the device if it is not required for operational purposes. Monitor FTP server logs and network traffic for unusual access attempts or file modifications. Engage with Janitza to obtain firmware updates or patches addressing the hard-coded credentials issue, and apply them promptly once available. Additionally, consider deploying intrusion detection systems (IDS) tuned to detect anomalous FTP activity. For environments where patching is delayed, implement compensating controls such as VPN access for management traffic and multi-factor authentication on management interfaces to reduce risk. Finally, review and update asset inventories to identify all affected devices and prioritize remediation efforts accordingly.