CVE-2025-41733
CRITICALDescription
The commissioning wizard on the affected devices does not validate if the device is already initialized. An unauthenticated remote attacker can construct POST requests to set root credentials.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| metz-connect | ewio2-m_firmware |
| metz-connect | ewio2-m |
| metz-connect | ewio2-m-bm_firmware |
| metz-connect | ewio2-m-bm |
| metz-connect | ewio2-bm_firmware |
| metz-connect | ewio2-bm |
References
Other References
Frequently Asked Questions
What is CVE-2025-41733? +
How severe is CVE-2025-41733? +
What products are affected by CVE-2025-41733? +
How do I check if I'm vulnerable to CVE-2025-41733? +
Related Vulnerabilities
RatPanel is a server operation and maintenance management panel. In versions 2.3.19 through 2.5.5, when an attacker obtains the backend …
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and …
KUNBUS Revolution Pi OS Bookworm 01/2025 is vulnerable because authentication is not configured by default for the Node-RED server. This …
In OpenEdge Authentication Gateway and AdminServer prior to 11.7.19, 12.2.14, 12.8.1 on all platforms supported by the OpenEdge product, an …
MileSight DeviceHub - CWE-305 Missing Authentication for Critical Function
Authentication Bypass by Primary Weakness vulnerability in XPodas Octopod allows Authentication Bypass.This issue affects Octopod: before v1. NOTE: The vendor …