CVE-2025-41734 is a critical vulnerability classified under CWE-98 (Improper Control of Filename for Include/Require Statement) affecting the METZ CONNECT Energy-Controlling EWIO2-M device. This vulnerability allows an unauthenticated remote attacker to execute arbitrary PHP files on the device by exploiting insufficient validation of user-supplied input in PHP include or require statements. The attacker can craft malicious requests that cause the device to include and execute remote or local PHP files, leading to remote code execution (RCE). This results in full system compromise, allowing the attacker to gain complete control over the device, potentially manipulating energy control functions or using the device as a foothold for lateral movement within the network. The vulnerability is remotely exploitable over the network without any authentication or user interaction, making it highly dangerous. The CVSS v3.1 score of 9.8 reflects the critical nature of this flaw, with high impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the vulnerability's characteristics suggest it could be weaponized quickly. The affected product, EWIO2-M, is used in energy management systems, which are critical for operational technology environments. The lack of available patches at the time of disclosure increases the urgency for mitigation through network segmentation and access controls.

For European organizations, especially those involved in energy management and critical infrastructure, this vulnerability poses a severe threat. Exploitation could lead to unauthorized control over energy-controlling devices, potentially disrupting energy distribution, causing outages, or manipulating energy data. Such disruptions could have cascading effects on industrial operations, public utilities, and national security. Confidentiality breaches could expose sensitive operational data, while integrity compromises could allow attackers to falsify energy usage or control commands. Availability impacts could result in denial of service or operational shutdowns. Given the critical role of energy infrastructure in Europe and the increasing digitization of industrial control systems, this vulnerability could be leveraged by cybercriminals or nation-state actors to conduct sabotage or espionage. The lack of authentication and user interaction requirements makes the attack vector broad and accessible, increasing the risk of widespread exploitation if not mitigated promptly.

1. Immediately restrict network access to the EWIO2-M devices by implementing strict firewall rules and network segmentation, isolating these devices from general IT networks and the internet. 2. Monitor network traffic for unusual requests targeting PHP include or require functions on the device. 3. Disable or restrict remote management interfaces if not necessary, or enforce VPN and strong authentication mechanisms for remote access. 4. Apply vendor patches or firmware updates as soon as they become available; maintain close communication with METZ CONNECT for updates. 5. Conduct regular security audits and vulnerability assessments on energy management systems to detect similar issues. 6. Implement intrusion detection/prevention systems (IDS/IPS) tuned to detect remote file inclusion attempts. 7. Employ application-layer filtering to sanitize inputs and block suspicious payloads targeting PHP file inclusion. 8. Maintain comprehensive logging and monitoring to detect exploitation attempts early. 9. Develop and test incident response plans specific to industrial control system compromises.