CVE-2025-41736

High

Published: 18 November 2025

Published

18 November 2025

Modified

21 November 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0056 68.3th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A low privileged remote attacker can upload a new or overwrite an existing python script by using a path traversal of the target filename in php resulting in a remote code execution.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates path traversal in PHP file upload by requiring validation of target filenames to reject directory traversal sequences like '../' that enable writing Python scripts to unauthorized locations.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on file upload inputs at application boundaries to block path traversal characters and limit uploads to safe filenames and non-executable extensions, preventing Python script uploads.

AC-3 Access Enforcement good match

prevent

Enforces access control policies on file system resources to prevent low-privileged remote attackers from writing or overwriting Python scripts in executable directories despite path traversal attempts.

Security SummaryAI

CVE-2025-41736 is a path traversal vulnerability (CWE-22, CWE-35) in PHP-based file upload functionality that enables a low-privileged remote attacker to upload a new Python script or overwrite an existing one by manipulating the target filename. This leads to remote code execution (RCE) on the affected system. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and potential for complete system compromise.

A low-privileged remote attacker with existing access, such as an authenticated user, can exploit this vulnerability over the network without user interaction. By crafting a malicious filename that traverses directories (e.g., using sequences like '../'), the attacker uploads or modifies Python scripts that are subsequently executed, granting high-impact control over confidentiality, integrity, and availability. This could allow arbitrary code execution, data exfiltration, persistence, or further lateral movement.

For mitigation details, refer to the advisory published by CERT VDE at https://certvde.com/de/advisories/VDE-2025-097.

Details

CWE(s): CWE-35 CWE-22

Affected Products

metz-connect

ewio2-m firmware

≤ 2.2.0

metz-connect

ewio2-m-bm firmware

≤ 2.2.0

metz-connect

ewio2-bm firmware

≤ 2.2.0

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Path traversal in PHP file upload enables low-privileged remote RCE via malicious Python script upload/overwrite, directly facilitating T1190 (Exploit Public-Facing Application) and T1068 (Exploitation for Privilege Escalation).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://certvde.com/de/advisories/VDE-2025-097
Vendor Advisory · info@cert.vde.com