Unrated severityNVD Advisory· Published Nov 18, 2025· Updated Nov 18, 2025

Possible malfunction credential injection

CVE-2025-41733

Description

The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.

Affected products

Connect Inc./Energy Controlling Ewio2 Mv5
Range: 0.0.0
Metz Connect/Energy Controlling Ewio2 M Bmv5
Range: 0.0.0
Metz Connect/Ethernet Io Ewio2 Bmv5
Range: 0.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

certvde.com/de/advisories/VDE-2025-097mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000