METZ CONNECT EWIO2 Series Authentication Bypass Vulnerability Allowing Unauthenticated Admin Takeover

A critical authentication bypass vulnerability has been identified in the METZ CONNECT EWIO2 series, specifically in the Energy-Controlling EWIO2-M, EWIO2-M-BM, and Ethernet-IO EWIO2-BM models, all running firmware prior to 2.2.0. This vulnerability allows unauthenticated remote attackers with network access to gain administrative control over the affected devices. Once compromised, attackers can execute arbitrary PHP files, change configurations, manipulate data, disrupt services, and potentially render the device non-functional.

Impact

Exploitation of this vulnerability allows for unauthorized administrative access, enabling attackers to take full control of the device. This could lead to unauthorized changes in configuration, data manipulation, service disruption, or causing the device to become non-functional.

Remediation

Users are advised to update to version 2.2.0 or later. Schedule the update during the next maintenance window, as no workaround provides equivalent protection.