CVE-2025-41735 is a vulnerability identified in the METZ CONNECT Energy-Controlling EWIO2-M device, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw allows a remote attacker with low privileges to upload arbitrary files to any location on the device due to the absence of proper file type validation during the upload process. This lack of restriction enables attackers to place malicious payloads, such as web shells or scripts, that can be executed remotely, leading to full remote code execution (RCE). The vulnerability is exploitable over the network without requiring user interaction, and the attacker does not need elevated privileges beyond low-level access, which significantly lowers the barrier to exploitation. The CVSS v3.1 score of 8.8 reflects the critical impact on confidentiality, integrity, and availability, as successful exploitation can compromise the device, disrupt energy control operations, and potentially pivot into broader network environments. The affected product, EWIO2-M, is used in energy management and control systems, making the vulnerability particularly sensitive given the critical nature of such infrastructure. No patches or fixes have been published yet, and no known exploits are reported in the wild, but the risk remains high due to the nature of the flaw and the criticality of the affected systems.

For European organizations, especially those involved in energy management, industrial automation, and critical infrastructure, this vulnerability poses a significant threat. Exploitation could lead to unauthorized control over energy-controlling devices, resulting in operational disruptions, potential physical damage, and data breaches. The compromise of such devices could also serve as a foothold for attackers to move laterally within networks, escalating attacks to other critical systems. Given the strategic importance of energy infrastructure in Europe, successful attacks could have cascading effects on national security, economic stability, and public safety. Additionally, regulatory compliance risks arise, as organizations may fail to meet cybersecurity standards such as NIS2 or GDPR if they do not adequately protect these systems. The absence of patches increases the urgency for proactive defense measures to prevent exploitation.

Organizations should immediately implement network segmentation to isolate EWIO2-M devices from general IT networks and limit exposure to untrusted networks. Strict access controls should be enforced, ensuring only authorized personnel and systems can communicate with these devices. Deploying web application firewalls (WAFs) or intrusion prevention systems (IPS) with rules to detect and block suspicious file upload attempts can provide additional protection. Monitoring logs and network traffic for anomalous activities related to file uploads or unexpected file creations is critical. Vendors and users should prioritize the development and deployment of patches or firmware updates that enforce strict file type validation and restrict upload locations. Until patches are available, disabling or restricting file upload functionality where possible can reduce risk. Conducting regular security assessments and penetration tests focused on these devices will help identify and remediate weaknesses. Finally, raising awareness among operational technology (OT) teams about this vulnerability ensures timely detection and response.