METZ CONNECT EWIO2 Series Authentication Bypass Vulnerability Allowing Admin Takeover

An authentication bypass vulnerability has been identified in the METZ CONNECT EWIO2 series devices, specifically in the Energy-Controlling EWIO2-M, EWIO2-M-BM, and Ethernet-IO EWIO2-BM models, all running firmware prior to 2.2.0. This vulnerability allows unauthenticated remote attackers with network access to gain administrative control over the device. Once compromised, attackers can change configurations, manipulate data, disrupt services, and potentially render the device non-functional.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access to the device, enabling an attacker to take full control, alter settings, and disrupt normal operations. Such actions could also lead to the device becoming inoperable.

Remediation

Users are advised to update to version 2.2.0 or later. Schedule the update during the next maintenance window, as no workaround provides equivalent protection.