CVE-2025-41737 Overview
CVE-2025-41737 affects Metz Connect EWIO2 industrial energy measurement devices. A webserver misconfiguration exposes PHP module source code to unauthenticated remote attackers. The flaw allows attackers to retrieve server-side PHP source files over the network without credentials or user interaction.
Source code disclosure exposes application logic, hardcoded values, internal API paths, and authentication routines. Attackers can use this information to plan follow-on attacks against the device. The vulnerability is tracked under CWE-284: Improper Access Control and documented in CERT VDE Advisory VDE-2025-097.
Critical Impact
Unauthenticated remote attackers can read PHP module source code on affected EWIO2 devices, exposing application internals that may enable further compromise.
Affected Products
- Metz Connect EWIO2-M firmware and hardware
- Metz Connect EWIO2-M-BM firmware and hardware
- Metz Connect EWIO2-BM firmware and hardware
Discovery Timeline
- 2025-11-18 - CVE-2025-41737 published to NVD
- 2025-11-21 - Last updated in NVD database
Technical Details for CVE-2025-41737
Vulnerability Analysis
The vulnerability stems from a webserver configuration error on EWIO2 devices. The HTTP server delivers PHP files as static content instead of passing them to the PHP interpreter for execution. As a result, requests targeting .php resources return raw source text rather than dynamically rendered output.
Source disclosure on an embedded device is significant. PHP modules on industrial controllers often contain authentication logic, session handling code, configuration parsers, and references to internal endpoints. Attackers analyzing this code can identify input validation gaps, hardcoded secrets, or undocumented administrative routes.
The issue is classified under CWE-284: Improper Access Control. The webserver enforces no access restriction on the resources it serves and no handler mapping that would force PHP execution.
Root Cause
The root cause is a webserver handler misconfiguration. The PHP execution handler is either missing, disabled, or not bound to the .php extension within the document root. Static file delivery becomes the default behavior for these files.
Attack Vector
An unauthenticated attacker with network access to the device sends an HTTP GET request for a known PHP module path. The webserver responds with the raw PHP source. No credentials, session, or user interaction are required. Attack complexity is low, and the impact is limited to confidentiality.
No verified public proof-of-concept code is available. Refer to the CERT VDE Advisory VDE-2025-097 for vendor-supplied technical details.
Detection Methods for CVE-2025-41737
Indicators of Compromise
- HTTP GET requests from external sources targeting .php paths on EWIO2 device webservers.
- HTTP 200 responses to .php requests that return Content-Type: text/plain or application/octet-stream instead of text/html.
- Repeated enumeration of PHP file paths from a single source IP within a short window.
Detection Strategies
- Inspect webserver and reverse proxy logs for .php requests returning unusually large response bodies that resemble source code.
- Run an authenticated configuration audit against EWIO2 devices to verify the PHP handler is registered and active.
- Use a network scanner to fetch known PHP paths and compare response headers against expected dynamic output.
Monitoring Recommendations
- Forward EWIO2 webserver access logs to a centralized SIEM and alert on anonymous requests for PHP resources.
- Baseline normal HTTP traffic to the device management interface and flag deviations in request patterns or content types.
- Restrict and monitor north-south traffic to operational technology (OT) segments hosting EWIO2 devices.
How to Mitigate CVE-2025-41737
Immediate Actions Required
- Apply the firmware update provided by Metz Connect as referenced in CERT VDE Advisory VDE-2025-097.
- Remove direct internet exposure of EWIO2 management interfaces and place devices behind a firewall or VPN.
- Audit webserver access logs for prior unauthenticated requests to .php paths and assess potential information exposure.
Patch Information
Metz Connect has coordinated disclosure through CERT@VDE. Consult CERT VDE Advisory VDE-2025-097 for the fixed firmware versions and upgrade instructions specific to the EWIO2-M, EWIO2-M-BM, and EWIO2-BM product lines.
Workarounds
- Limit access to the device webserver to trusted management hosts using network access control lists.
- Segment EWIO2 devices on a dedicated OT VLAN with strict egress filtering until firmware can be applied.
- Disable remote webserver access where the management interface is not required for operational workflows.
# Example: restrict EWIO2 webserver access to a management subnet
iptables -A INPUT -p tcp --dport 80 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.10.50.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
