CVE-2025-41737 is a vulnerability classified under CWE-284 (Improper Access Control) found in the METZ CONNECT Energy-Controlling EWIO2-M device. The root cause is a misconfiguration in the embedded webserver that allows unauthenticated remote attackers to access and read the source code of PHP modules. This exposure can reveal sensitive information such as hardcoded credentials, internal logic, or configuration details that could facilitate further attacks. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS v3.1 score is 7.5 (high), reflecting the ease of exploitation (network attack vector, low complexity) and the high confidentiality impact, while integrity and availability remain unaffected. No patches are currently listed, and no exploits have been observed in the wild, but the potential for information leakage is significant. The affected product is used in energy management environments, which are critical infrastructure sectors. The vulnerability was reserved in April 2025 and published in November 2025 by CERTVDE, indicating a recent discovery. The lack of authentication requirements and the direct exposure of source code make this a serious concern for organizations relying on this device for energy control and monitoring.

The primary impact of CVE-2025-41737 is the compromise of confidentiality due to unauthorized disclosure of PHP source code. This can lead to leakage of sensitive information such as credentials, encryption keys, or proprietary algorithms embedded in the code. For European organizations, especially those in the energy sector, this could facilitate further targeted attacks, including unauthorized access or manipulation of energy control systems. Although integrity and availability are not directly affected, the exposure of source code increases the attack surface and could enable attackers to craft more effective exploits. Given the critical nature of energy infrastructure in Europe, exploitation could have cascading effects on operational security and compliance with regulatory requirements such as NIS2. The vulnerability's remote and unauthenticated nature means attackers can exploit it without insider access, increasing the risk of widespread compromise if the device is internet-facing or accessible within corporate networks.

To mitigate CVE-2025-41737, organizations should immediately review and correct the webserver configuration on the EWIO2-M devices to ensure PHP source code files are not accessible via HTTP requests. This typically involves disabling directory listing, properly configuring the webserver to process PHP files rather than serving them as plain text, and restricting access to sensitive directories. Network segmentation should be enforced to limit access to the device's management interface only to trusted internal networks. Monitoring and logging access attempts to the device can help detect exploitation attempts. Since no official patches are currently available, organizations should engage with METZ CONNECT for updates and apply any forthcoming security patches promptly. Additionally, conducting a security audit of all similar devices in the environment to identify misconfigurations and applying secure deployment best practices is recommended. Implementing strict access controls and considering compensating controls such as web application firewalls can further reduce risk.