CVE-2025-41736 is a path traversal vulnerability classified under CWE-35 found in the METZ CONNECT Energy-Controlling EWIO2-M device. The vulnerability arises from improper sanitization of file path inputs in PHP scripts that handle file uploads or modifications. Specifically, the use of the path traversal sequence '.../...//' allows an attacker with low privileges to manipulate the target filename parameter, enabling them to upload new or overwrite existing Python scripts on the device's filesystem. This unauthorized file write capability leads directly to remote code execution (RCE), as the attacker can execute arbitrary Python code on the device. The vulnerability does not require user interaction and can be exploited remotely over the network, increasing its risk profile. The CVSS v3.1 base score of 8.8 reflects the ease of exploitation (network vector, low attack complexity), the requirement of low privileges, and the high impact on confidentiality, integrity, and availability. The product version affected is listed as 0.0.0, which likely indicates all current versions or an initial release. No public patches or known exploits have been reported at the time of publication, but the vulnerability's nature suggests it could be leveraged for persistent control over energy-controlling systems, potentially disrupting critical infrastructure operations.

For European organizations, particularly those in industrial automation, energy management, and critical infrastructure sectors, this vulnerability poses a significant threat. Successful exploitation could allow attackers to execute arbitrary code on energy-controlling devices, leading to unauthorized control, data theft, or sabotage of energy systems. This could result in operational downtime, safety hazards, and financial losses. Given the device's role in energy control, attackers might manipulate energy consumption data, disrupt power distribution, or cause cascading failures in connected systems. The high CVSS score indicates a severe impact on confidentiality, integrity, and availability, making it a critical risk for organizations relying on METZ CONNECT devices. Additionally, the lack of known exploits currently provides a window for proactive mitigation before widespread exploitation occurs.

1. Immediately restrict network access to the EWIO2-M device management interfaces to trusted administrators only, preferably via VPN or isolated management networks. 2. Implement strict input validation and sanitization on all file upload and filename parameters in the PHP backend to prevent path traversal sequences such as '.../...//'. 3. Monitor and audit device file systems for unauthorized changes, especially unexpected Python scripts or modifications. 4. Deploy host-based intrusion detection systems (HIDS) on devices or connected systems to detect anomalous file writes or execution patterns. 5. Coordinate with METZ CONNECT for official patches or firmware updates addressing this vulnerability and apply them promptly once available. 6. Employ network segmentation to isolate energy-controlling devices from general IT networks to limit lateral movement in case of compromise. 7. Educate operational technology (OT) staff about this vulnerability and enforce strict credential management to prevent low-privilege account misuse. 8. Consider deploying application whitelisting on devices to restrict execution to authorized scripts only.