CVE-2025-41734 is a critical vulnerability identified in the METZ CONNECT Energy-Controlling EWIO2-M device, classified under CWE-98, which concerns improper control of filenames used in include or require statements in PHP programs. This flaw allows an unauthenticated remote attacker to perform remote file inclusion (RFI) attacks by manipulating the filename parameter in PHP scripts. By exploiting this vulnerability, attackers can execute arbitrary PHP code on the device, effectively gaining full control over the system. The vulnerability does not require any authentication or user interaction, making it trivially exploitable over the network. The affected product version is listed as 0.0.0, indicating the initial or all versions prior to patching are vulnerable. The CVSS v3.1 base score of 9.8 reflects the critical nature of this flaw, with attack vector being network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), meaning attackers can fully compromise the device, steal sensitive data, modify configurations, or disrupt operations. The vulnerability was reserved in April 2025 and published in November 2025, with no known exploits in the wild yet. Given that the device is used in energy controlling systems, exploitation could have serious implications for industrial control and energy management environments. No patches are currently linked, so mitigation relies on network-level controls and monitoring until vendor updates are released.

For European organizations, especially those in the energy sector or industrial automation using METZ CONNECT Energy-Controlling EWIO2-M devices, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized control over critical energy management infrastructure, potentially causing operational disruptions, data breaches, or sabotage. The confidentiality of sensitive operational data could be compromised, integrity of control commands altered, and availability of energy services disrupted. This could affect utilities, manufacturing plants, and critical infrastructure operators, leading to financial losses, regulatory penalties, and safety hazards. Given Europe's strong regulatory environment around critical infrastructure protection (e.g., NIS Directive), affected organizations may face compliance issues if the vulnerability is exploited. The lack of authentication and ease of exploitation increase the likelihood of attacks, especially if devices are exposed to untrusted networks or the internet. The absence of known exploits currently provides a window for proactive mitigation, but the critical severity demands immediate attention to prevent potential targeted attacks or automated scanning and exploitation campaigns.

1. Immediately isolate affected EWIO2-M devices from untrusted networks, especially the internet, to reduce exposure. 2. Implement strict network segmentation and firewall rules to restrict access to the devices only to trusted management systems. 3. Monitor network traffic and device logs for unusual or unauthorized access attempts, particularly HTTP requests attempting to include remote files. 4. Engage with METZ CONNECT support or vendor channels to obtain and apply security patches or firmware updates as soon as they become available. 5. If patching is delayed, consider deploying web application firewalls (WAF) or intrusion prevention systems (IPS) with custom rules to detect and block remote file inclusion attack patterns. 6. Conduct a thorough inventory of all EWIO2-M devices in the environment to ensure none are overlooked. 7. Review and harden device configurations, disabling any unnecessary services or PHP functionalities that could be exploited. 8. Educate operational technology (OT) and IT teams about this vulnerability and the importance of rapid response. 9. Prepare incident response plans specifically addressing potential exploitation scenarios involving these devices. 10. Collaborate with industry information sharing groups to stay informed about emerging threats or exploit attempts related to this vulnerability.