Cyber Posture

CVE-2025-41734

Critical

Published: 18 November 2025

Published
18 November 2025
Modified
21 November 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.9th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-41734 is a critical-severity PHP Remote File Inclusion (CWE-98) vulnerability in Metz-Connect Ewio2-M Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely identification, reporting, and patching of the PHP arbitrary execution flaw directly prevents unauthenticated remote exploitation.

SI-10 Information Input Validation good match
prevent

Validates external inputs to PHP file operations, blocking malicious file paths or payloads that enable arbitrary code execution.

SI-9 Information Input Restrictions good match
prevent

Restricts inputs to authorized file types and paths, preventing unauthenticated attackers from specifying arbitrary PHP files for execution.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability allows unauthenticated remote code execution via arbitrary PHP file execution on a public-facing application, directly mapping to Exploitation of Public-Facing Application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An unauthenticated remote attacker can execute arbitrary php files and gain full access of the affected devices.

Deeper analysisAI

CVE-2025-41734, published on 2025-11-18, is a high-severity vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) mapped to CWE-98. It enables an unauthenticated remote attacker to execute arbitrary PHP files on affected devices, potentially leading to full system compromise.

The vulnerability can be exploited by any unauthenticated attacker with network access, requiring low complexity and no privileges or user interaction. Successful exploitation grants full access to the affected devices, allowing arbitrary code execution with high impact on confidentiality, integrity, and availability.

Mitigation details are available in the referenced advisory at https://certvde.com/de/advisories/VDE-2025-097.

Details

CWE(s)
CWE-98

Affected Products

metz-connect
ewio2-m firmware
≤ 2.2.0
metz-connect
ewio2-m-bm firmware
≤ 2.2.0
metz-connect
ewio2-bm firmware
≤ 2.2.0

CVEs Like This One

CVE-2025-41735Same product: Metz-Connect Ewio2-Bm
CVE-2025-41736Same product: Metz-Connect Ewio2-Bm
CVE-2025-41733Same product: Metz-Connect Ewio2-Bm
CVE-2025-49994Shared CWE-98
CVE-2025-69075Shared CWE-98
CVE-2025-58950Shared CWE-98
CVE-2025-30871Shared CWE-98
CVE-2026-22439Shared CWE-98
CVE-2025-22707Shared CWE-98
CVE-2025-69373Shared CWE-98

References