CVE-2025-41736 is a path traversal vulnerability classified under CWE-35, affecting the METZ CONNECT Energy-Controlling EWIO2-M device. The vulnerability arises from insufficient validation of file path inputs in a PHP component responsible for handling script uploads. By exploiting path traversal sequences ('.../...//'), a low-privileged remote attacker can manipulate the target filename parameter to escape the intended directory and upload or overwrite arbitrary Python scripts on the device's filesystem. This unauthorized file write capability enables remote code execution (RCE), granting the attacker the ability to execute arbitrary commands with the privileges of the affected service. The vulnerability requires no user interaction and can be triggered remotely over the network, increasing its exploitability. The CVSS 3.1 score of 8.8 reflects the vulnerability's high impact on confidentiality, integrity, and availability, as attackers can compromise device control and potentially pivot into connected networks. Although no public exploits have been reported yet, the nature of the vulnerability and the critical role of the device in energy management make it a significant threat. The affected version is listed as 0.0.0, which likely indicates all current versions up to the publication date are vulnerable. The vulnerability was reserved in April 2025 and published in November 2025, with no patches currently available, emphasizing the urgency for mitigation.

For European organizations, especially those in the energy sector or industrial automation, this vulnerability poses a severe risk. The EWIO2-M device is used for energy controlling, likely integrated into critical infrastructure such as smart grids, manufacturing plants, or building management systems. Exploitation could lead to unauthorized control over energy management processes, causing operational disruptions, data breaches, or sabotage. Confidentiality is at risk as attackers may access sensitive operational data; integrity is compromised through unauthorized script uploads altering device behavior; availability is threatened by potential denial-of-service conditions or destructive commands. Given the device's role, successful exploitation could cascade into broader network compromises, affecting supply chains and critical services. The remote and low-privilege nature of the exploit lowers the barrier for attackers, increasing the likelihood of targeted attacks against European energy infrastructure. This could have economic and safety implications, especially in countries with high reliance on automated energy control systems.

Immediate mitigation should focus on network-level protections: isolate EWIO2-M devices within dedicated network segments with strict access controls and firewall rules limiting inbound connections to trusted sources only. Implement intrusion detection systems (IDS) to monitor for unusual file upload activities or path traversal patterns in HTTP requests. Since no patches are currently available, organizations should consider disabling remote upload functionalities if feasible or restricting access to the management interface via VPN or secure tunnels. Regularly audit device configurations and logs for signs of exploitation attempts. Engage with METZ CONNECT for updates on patches or firmware upgrades addressing this vulnerability. Additionally, employ application-layer filtering or web application firewalls (WAFs) capable of detecting and blocking path traversal attempts. For long-term security, adopt a defense-in-depth approach including endpoint protection on connected systems and incident response plans tailored to energy control environments.