CVE-2025-41733 is a critical vulnerability classified under CWE-305 (Authentication Bypass by Primary Weakness) affecting the METZ CONNECT Energy-Controlling EWIO2-M device. The root cause lies in the commissioning wizard's failure to validate whether the device has already been initialized. This logic flaw allows an unauthenticated remote attacker to send specially crafted HTTP POST requests to the device, effectively setting or resetting root credentials without any authentication or user interaction. The vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), and no user interaction (UI:N), making it highly accessible to attackers. The impact is severe, as it grants full administrative control over the device, compromising confidentiality, integrity, and availability of the device and potentially the broader energy control infrastructure it manages. The CVSS v3.1 score is 9.8 (critical), reflecting the ease of exploitation and the broad impact. No patches or fixes have been published yet, and no known exploits have been observed in the wild. The device is typically deployed in energy management and industrial control environments, where unauthorized control can lead to operational disruptions or data breaches.

For European organizations, this vulnerability poses a significant threat to critical infrastructure, particularly in energy management and industrial automation sectors. Compromise of the EWIO2-M device could allow attackers to manipulate energy control systems, potentially causing operational outages, data theft, or sabotage. The ability to set root credentials remotely without authentication means attackers can establish persistent control, bypassing all security controls. This could lead to cascading failures in energy distribution or industrial processes, impacting availability and safety. Confidentiality of sensitive operational data is also at risk. Given the critical nature of energy infrastructure in Europe and increasing reliance on automated control systems, exploitation could have severe economic and safety consequences. Organizations may face regulatory penalties if they fail to secure these devices adequately.

Until an official patch is released, European organizations should implement strict network segmentation to isolate EWIO2-M devices from untrusted networks, especially the internet. Access to the device management interfaces should be restricted using firewalls and VPNs with strong authentication. Monitoring network traffic for unusual POST requests targeting the commissioning wizard endpoints can help detect exploitation attempts. Disable or restrict commissioning wizard functionality if possible. Employ intrusion detection systems tailored to detect anomalous device configuration changes. Regularly audit device configurations and credentials to identify unauthorized modifications. Engage with METZ CONNECT for updates and apply patches immediately once available. Additionally, consider deploying compensating controls such as multi-factor authentication on management interfaces and maintaining offline backups of device configurations to enable recovery.