CVE-2025-41733 is an authentication bypass vulnerability identified in the METZ CONNECT Energy-Controlling EWIO2-M device. The root cause is a primary weakness (CWE-305) in the commissioning wizard, which does not validate whether the device has already been initialized before accepting configuration commands. Specifically, an unauthenticated remote attacker can send specially crafted POST requests to the device's commissioning interface to set or reset root credentials arbitrarily. This bypasses all authentication mechanisms, granting the attacker full administrative access. The vulnerability is remotely exploitable over the network without any required privileges or user interaction, making it highly accessible for attackers. The CVSS v3.1 base score is 9.8, indicating critical severity with high impact on confidentiality, integrity, and availability. The vulnerability affects version 0.0.0 of the product, with no patches currently available. Although no exploits have been observed in the wild, the vulnerability's nature and ease of exploitation make it a significant threat, especially in environments where these devices control energy or industrial processes. The lack of device initialization checks means that once exploited, attackers can fully control the device, potentially disrupting energy management systems or causing unsafe operational states.

For European organizations, this vulnerability poses a severe risk to energy infrastructure and industrial control systems that rely on METZ CONNECT Energy-Controlling EWIO2-M devices. Successful exploitation can lead to complete compromise of device control, allowing attackers to manipulate energy distribution, disrupt operational processes, or cause denial of service. This could result in operational downtime, safety hazards, financial losses, and damage to critical infrastructure. Confidentiality breaches could expose sensitive operational data, while integrity violations could lead to unauthorized changes in energy management settings. Availability impacts could disrupt energy supply or industrial automation, affecting businesses and public services. Given Europe's strong emphasis on energy security and industrial automation, the vulnerability could have cascading effects on national grids and critical industries if exploited at scale.

Since no patches are currently available, European organizations should implement immediate compensating controls. These include isolating the affected devices within segmented, trusted network zones with strict access controls to prevent unauthorized remote access. Network-level filtering should restrict POST requests to the commissioning interface to only trusted administrators or management systems. Continuous monitoring and logging of configuration changes on the device should be enabled to detect suspicious activity promptly. Organizations should also conduct thorough inventories to identify all deployed EWIO2-M devices and assess exposure. Where possible, disable or restrict the commissioning wizard interface until a patch is released. Engage with METZ CONNECT for updates on patches or firmware upgrades. Additionally, implement multi-factor authentication and strong network authentication mechanisms at the perimeter to reduce attack surface. Incident response plans should be updated to address potential exploitation scenarios involving this vulnerability.