To ensure system security, it is mandatory to update Ewon devices to the latest available firmware during installation.
Firmware version 15.0 has been specifically developed to comply with the new EU cyber-security requirements of the Radio Equipment Directive (RED), effective August 1, 2025.
In addition to firmware updates, you must:
These measures are essential to maintain the cyber-security integrity of your installation.
This document outlines the key firmware changes and highlights configuration impacts that may require adjustments during device setup.
The Ewon FTP server is now disabled by default (factory settings and after reset).
It can be enabled on VPN and/or LAN interfaces via the advanced parameter ‘ClosedDevice’.
Example values are provided; see (link) for details
| Behavior | ClosedDevice Value |
| FTP server is closed on all interfaces : LAN, WAN & VPN | 21 (default) |
| FTP (& HTTP) server is opened on LAN & VPN | 0 |
| FTP server is closed on LAN, opened on VPN | 1 |
| FTP server is closed on VPN, opened on LAN | 16 |
The parameter can be set using the Tabular edition feature, under Setup > System > Storage > Tabular edition > Edit COM cfg
The Ewon NTP server is disabled by default. To use the Ewon as an NTP relay, the NTP server must be manually enabled in Setup > System > Main > Net Services > NTP server
USB over IP allows access to a USB device via a Talk2m connection, appearing locally in eCatcher. To use this feature, it must be manually enabled in Setup > System > Communication > General > USBIP
When enabling, the default Log Level and Start Port values can be kept.
Note: A shortcut to the USBIP setup page is available on the Summary page under the Gateway Status section.
The Ewon HTTP server, used to display the web configuration pages, is no longer accessible via the WAN interface.
The SMTP client, used to send email notifications, now works only through the VPN interface using the Talk2m mail relay.
Using a custom SMTP server is no longer supported.
Previously, the Profinet Explorer started scanning automatically when the page was opened. Now, the scan must be manually triggered using the Refresh button.
Path: Setup > System > Main > Net services > Profinet Explorer
The DynDNS (dynamic DNS) feature has been removed from the Ewon device.
The OPC UA server’s resistance to brute force attacks was analysed and improved, particularly regarding password strength enforcement.
Weak passwords are now automatically rejected. When a weak password is entered, the system logs an error and displays a warning in the GUI. Only strong passwords will allow successful authentication.
Password policy for the OPC UA server requires passwords to be between 12 and 30 characters long and include at least three of the following: 1 uppercase, 1 lowercase, 1 digit, 1 special character.
The insecure security policies 'None' and 'Basic256' are now disabled by default. If necessary, these policies can be manually re-enabled via the GUI or the config.txt file.
During OPCUA server configuration users now see warnings when configuring OPC UA client or server settings that are unencrypted or lack authentication.
The Ethernet to serial gateways are now disabled by default (factory settings and after reset).
Each serial gateway can be enabled under the Global Settings of the IOServer config: Tags > IO Servers > General > Global Settings
Serial over IP allows access to a serial device via a Talk2m connection.
The PSTN incoming connection (landline connections) is not anymore supported. Outgoing PSTN connection is still possible.
The linked Callback feature and Transparent Forwarding has also been removed.
The Ewon device now logs successful and failed login attempts across all its various configuration interfaces (Web server, EBD, FTP server, etc.)
Example EventLog messages:
| Time | Event | Description | Originator |
| 15/06/2025 23:10 | -21305 | eftp-Open FTP session (User: Adm) | Ftps |
| 15/06/2025 23:13 | -28611 | secu-Authentication failure (From FTP server) | ftps |
| 15/06/2025 22:51 | -28611 | secu-Authentication failure (From WEB server) | http |
| 15/06/2025 22:51 | -21020 | east-User has logged into the device web interface (adm) | http |
Logging has been added to track the configuration and usage of privacy assets (e.g., email and SMS). The log records when values are configured and when they are used.
Example EventLog messages:
| Time | Event | Description | Originator |
| 15/06/2025 22:22 | 1073788325 | cfgw-The COM configuration has been modified | http |
| 15/06/2025 22:23 | -34559 | ecfg-Default Admin password has been changed | http |
A persistent Privacy Asset Log (PAL) has been implemented to comply with RED requirements, ensuring Privacy Asset Event logs are retained after a reboot.
A new Export Block descriptor (EBD), dtPAL, allows downloading all log entries in a single file without deleting them.
EBD syntax Example: http://#deviceIP#/rcgi.bin/ParamForm?AST_Param=$dtPAL$fnLogText.txt
Note: The PAL stores events in three rotating log files located in /usr/PALog/, each up to 0.3 MB. Older files are automatically deleted to maintain storage limits.
The FTP server is disabled by default and needs to be enabled first via the GUI (tabular editor). If enabled on the LAN interface, it needs to be disabled after use unless physical and LAN access are secured.
Alternatively, configuration via USB stick can be used.
Backup and restore via eBuddy use the FTP server, which needs to be enabled first through the GUI. If enabled on the LAN interface, the FTP server needs to be disabled after use unless physical and LAN access are secured.
As the USB over IP feature is disabled by default, you must first enable it on the Ewon device before you can remotely access the connected USB device.
A shortcut to the USB over IP setup page is available on the Cosy+ summary page, under the Gateway Status section.
If you (or a local service) connect to the OPC UA server using the Username/Password login type, make sure you are using a user account with a strong password. Starting from firmware version 15.0, the OPC UA server rejects connections that use weak passwords. You may need to create a user with a sufficiently strong password to connect successfully.
Since the Ethernet-to-Serial gateways are disabled by default, you must first enable them on the Ewon device before you can remotely access the connected serial PLC or device.
