CVE-2025-41737 is a vulnerability identified in the METZ CONNECT Energy-Controlling EWIO2-M device, specifically stemming from a webserver misconfiguration that leads to improper access control (CWE-284). The misconfiguration allows an unauthenticated remote attacker to access and read the source code of PHP modules hosted on the device. This exposure can reveal sensitive information such as credentials, internal logic, or configuration details embedded within the PHP source files. The vulnerability is classified as high severity with a CVSS 3.1 base score of 7.5, reflecting its network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality (C:H) but no impact on integrity or availability. The vulnerability affects version 0.0.0 of the product, indicating an initial or baseline release. Although no known exploits have been reported in the wild, the ability to read source code remotely without authentication presents a significant security risk, as attackers can analyze the source to identify further vulnerabilities or extract sensitive data. The device is used in energy-controlling applications, which are critical for industrial and infrastructure environments, increasing the potential impact of exploitation. The vulnerability was reserved in April 2025 and published in November 2025, with no patches currently linked, emphasizing the need for immediate mitigation through configuration changes and monitoring.

The primary impact of CVE-2025-41737 is the unauthorized disclosure of sensitive information due to exposure of PHP source code. For European organizations, especially those in the energy and industrial sectors, this could lead to the compromise of operational technology (OT) environments, intellectual property theft, and facilitation of further attacks such as privilege escalation or remote code execution if additional vulnerabilities are discovered in the exposed code. The confidentiality breach could undermine trust in critical infrastructure systems and cause regulatory compliance issues under frameworks like NIS2 and GDPR if personal or operational data is exposed. Although integrity and availability are not directly impacted by this vulnerability, the information leakage can be a stepping stone for more damaging attacks. The risk is heightened in countries with extensive deployment of METZ CONNECT devices in energy management, smart grids, or industrial automation, where disruption or espionage could have significant economic and societal consequences.

To mitigate CVE-2025-41737, organizations should immediately audit and correct the webserver configuration on affected EWIO2-M devices to ensure PHP source files are not accessible via HTTP requests. This typically involves disabling directory listing, properly configuring the webserver to process PHP files rather than serving them as plain text, and restricting access to sensitive directories. Network segmentation should be enforced to limit exposure of these devices to untrusted networks. Monitoring and logging access attempts to the webserver should be enhanced to detect suspicious activity. Organizations should engage with METZ CONNECT for official patches or firmware updates addressing this vulnerability and apply them promptly once available. Additionally, conducting a security review of all web-facing interfaces in OT environments is recommended to identify similar misconfigurations. Implementing strict access controls and employing web application firewalls (WAFs) can provide additional layers of defense against exploitation attempts.