Ewon Cosy 141 Loses Talk2M by End of 2026: Build Your Own Remote-Maintenance Platform

Editorial note: The information in this article was compiled to the best of our knowledge at the time of publication. Technical details, prices, versions, licensing terms, and external content may change. Please verify the information provided independently, particularly before making business-critical or security-related decisions. This article does not replace individual professional, legal, or tax advice.

Your own remote-maintenance platform instead of Talk2M lock-in - WZ-IT builds self-hosted remote management on WireGuard site tunnels, browser HMI and role-based access. Multi-tenant, auditable, operated in the EU. Book a free consultation · Remote-management platforms · Secure remote maintenance
Anyone who services machines and plants remotely knows the little boxes in the control cabinet: Ewon Cosy from HMS Networks, plus the Talk2M cloud that builds the VPN tunnel to the field engineer. That convenience is now turning into a cost trap. As of June 2026, Talk2M access for the Ewon Cosy 141 series and the entire CD generation ends at the end of 2026. Anyone affected has to swap hardware - and then sits in the same dependency again.
In parallel, the ownership landscape has shifted: HMS Networks acquired Red Lion Controls in 2024 and now runs Red Lion and N-Tron as its own brands. The German MB connect line was carved back out of the group via a management buyout in the same year. Three moves, one pattern: roadmaps, cloud terms and licence models change without the plant operator having any say. This article puts the news into context and shows why a self-hosted remote-maintenance platform is the strategically cleaner answer - and how migrating off Ewon, IXON or Secomea actually works.
Table of contents
- What happens to Ewon Cosy 141 and CD at the end of 2026
- The HMS roll-up: Ewon, Red Lion and N-Tron under one roof
- The real risk: vendor lock-in on industrial VPN routers
- Security track record: CVEs in Ewon Cosy+ and IXON
- The alternative: your own remote-maintenance platform
- Migrating off Ewon, IXON or Secomea
- ABCO Water Systems and nextGYM as proof
- How we work at WZ-IT
- Further reading
What happens to Ewon Cosy 141 and CD at the end of 2026
The Ewon Cosy 141 and the CD generation (models such as 4101CD, 2101CD, 4001CD, 2104CD) are end-of-life. HMS Networks lists them in its official Ewon Product List as exit-phase products for several years: "still supported on our Talk2M platform for now, but it is time to plan their replacement". The concrete cut-off date comes not from the HMS page itself but from the Ewon distribution's replacement communication: as of June 2026, remote access via Talk2M for the Cosy 141 and CD ends at the close of 2026, and from 1 January 2027 these devices can no longer establish a connection. HMS recommends the Cosy+ range or the Flexy 205 with a serial or MPI expansion card as the successor.
In practice that means: every plant connected today via a Cosy 141 or a CD box loses vendor-side remote access from 2027. The field engineer can no longer reach the PLC, the HMI or the drive remotely. For machine builders with an installed base in the hundreds, that forces a rollout - often including an on-site visit at every customer - and at the end you have another device tied to the same cloud and the same licence model.
The HMS roll-up: Ewon, Red Lion and N-Tron under one roof
This end-of-life lands in a phase of heavy consolidation. HMS Networks, a Swedish group listed on Nasdaq Stockholm, acquired Red Lion Controls for around 345 million US dollars in 2024 and expanded its North American presence. Since then HMS runs Red Lion and N-Tron as official product brands alongside Ewon, Anybus and Ixxat. A growing share of industrial connectivity now sits with a single vendor.
At the same time a move ran in the opposite direction: Red Lion had acquired the German MB connect line GmbH (mbNET routers, mbCONNECT24 cloud) in 2022. It moved to HMS through the Red Lion deal - and was carved back out in October 2024. Long-standing managers Timo Bednarek and Alexander Kamm took 100 percent of the shares via a management buyout for 5 million euros. Red Lion Europe GmbH became the independent MB connect line GmbH again, back in German hands. For users the message from both events is the same: who owns the device and the cloud can change within months - along with the roadmap, the data location and the pricing.
The real risk: vendor lock-in on industrial VPN routers
The Talk2M shutdown is just the immediate trigger. The structural problem is the blueprint itself: a proprietary router plus its matching vendor cloud. That creates three risks that apply to Ewon just as much as to IXON, Secomea or mbCONNECT24:
- Forced device and cloud EOL. The vendor decides when a device drops out of its cloud. The Cosy 141 is the current example, and it will not be the last. A hardware lifecycle of eight to ten years is normal in automation - the cloud connection rarely lasts that long.
- Ownership changes outside your control. Buying from a vendor today means buying tomorrow's owner's roadmap with it. The HMS, Red Lion and MB connect line story shows how quickly responsibilities shift.
- Licence cost per device or connection. Talk2M Pro and comparable plans charge per connected device or per concurrent connection. Every new machine grows the recurring licence - whether or not you use the feature set at all.
On top of that comes data sovereignty: the VPN tunnel to your plant terminates in a cloud you do not operate and whose logs you cannot fully inspect. For organisations in scope of NIS2 that is a point that is hard to audit.
Security track record: CVEs in Ewon Cosy+ and IXON
The obvious reflex - just move to the Cosy+ as the successor - does not solve the security question. At DEF CON 32, SySS researcher Moritz Abrell demonstrated how to take over the Ewon Cosy+. The chain of CVE-2024-33892 (credentials in a cookie), CVE-2024-33894 (processes running with elevated privileges) and CVE-2024-33896 (OS command injection via the OpenVPN configuration) let an unauthenticated attacker gain root access. From there, encrypted firmware and configuration passwords could be decrypted - and, most critically, valid X.509 VPN certificates of foreign devices forged to hijack their Talk2M sessions. It was fixed in firmware versions 21.2s10 and 22.1s3 (updates from July 2024).
The competition is no safer. In the IXON VPN client, the security researchers at Shelltrail found CVE-2025-26168 and CVE-2025-26169 (CVSS 8.1). On Linux, a predictable temporary OpenVPN configuration plus a named pipe allowed local privilege escalation to root; on Windows, a race condition in C:\Windows\Temp allowed escalation to SYSTEM - with no active VPN connection needed. It was fixed in client version 1.4.4. The pattern is clear: every black-box appliance with its own client software is another attack surface you cannot harden yourself.
The alternative: your own remote-maintenance platform
A self-hosted platform inverts the logic. Instead of a proprietary router plus a vendor cloud, we use an open, auditable stack that you control:
- WireGuard site tunnels to every plant. WireGuard sits in the Linux kernel at around 4,000 lines of code, uses public-key cryptography only, and has no login portal that could be bypassed. The tunnel terminates on your infrastructure, not in someone else's cloud.
- Browser HMI through a central portal. Field engineers reach VNC, RDP and SSH HMIs through the browser via Apache Guacamole - without a locally installed VPN client that becomes an attack surface. Classic panel HMIs and modern web HMIs both become reachable.
- Role-based access (RBAC) and a complete audit log. Who accessed which plant and when is filterable in the UI. Exactly what Talk2M logs do not fully provide.
- Multi-tenancy. A machine builder runs one platform for all end customers, cleanly separated per tenant - each customer sees only their own plants.
- Identity through your SSO. Connected to Keycloak, Authentik or Entra. Anyone who leaves the company loses all access the moment they are disabled in the identity provider.
If you prefer a managed mesh, combine the site tunnels with NetBird as a zero-trust layer. Details on architecture and operation are on our NetBird and WireGuard pages.
Migrating off Ewon, IXON or Secomea
The switch is not a weekend flip, but it runs predictably in three phases:
Phase 1 - inventory. Which sites hang off which devices (Cosy 141, CD, Cosy+, IXON, SiteManager)? Which protocols and HMIs need to be reachable - PLC, drive, panel HMI, web HMI? Which service partners need which rights? The output is an architecture and migration plan with a target-versus-actual comparison.
Phase 2 - pilot. We build the platform (WireGuard gateway, portal, RBAC, audit) on your own or rented EU infrastructure and connect a first site - in parallel with the existing cloud. That lets you test NAT traversal behind real customer networks, performance and permission models under real conditions.
Phase 3 - rollout. Site by site, the old box is retired, each with a clear rollback path. Only after a successful cutover is the legacy device decommissioned. With the Cosy 141 and CD you use the hardware end that is coming anyway as a natural occasion to move straight to a sovereign stack instead of investing in a vendor cloud again.
ABCO Water Systems and nextGYM as proof
This is not a concept paper. For ABCO Water Systems in Australia we operate exactly this kind of platform: remote access and maintenance for distributed water treatment plants through a central portal, with browser HMI access and clean tenant separation. Field engineers reach every plant through the browser, without any inbound port being open at a plant.
In Germany we run a comparable platform for nextGYM GmbH across distributed studio sites - with a central dashboard, per-site permission management and Node-RED automation. Both cases show that an own remote-maintenance platform is operable standard for mid-market and machine builders today, not a high-risk in-house build.
How we work at WZ-IT
We build and operate remote-management platforms as a managed service or as a handover into your own operation. The stack runs on your own or our rented EU infrastructure, GDPR-compliant and without the per-device licence trap.
Design and build. WireGuard site tunnels, browser HMI via Guacamole, RBAC and audit trail, multi-tenant model, SSO integration. The base usually stands within a few weeks.
Migration off vendor clouds. For Ewon Cosy 141 and CD, Cosy+, IXON and Secomea we have a migration runbook including parallel operation. We use the hardware swap forced by the Talk2M deadline as the lever to get you straight out of the lock-in.
Operation with a security focus. Secure remote maintenance for machines and plants means monitoring, CVE tracking of the components in use and an audit log fit for NIS2 documentation. A self-hosted platform with RBAC and a complete audit covers access control and traceability far better than a black-box cloud. This article is general information and not legal advice.
Further reading
- Remote-management platforms - the sovereign stack as a managed service or in-house operation
- Secure remote maintenance for machines and plants - architecture and security requirements in detail
- WireGuard for site connectivity - how plants connect securely to the portal
- What is NetBird? - zero-trust mesh as an alternative to the site tunnel
- NetBird Managed and WireGuard Hosting - operation and scope
- Case study ABCO Water Systems - remote maintenance of distributed plants in practice
Your machines hang off Ewon Cosy 141, IXON or Secomea and you want out of the vendor lock-in before the Talk2M deadline? We assess your installed base for free and deliver a migration plan to your own platform - with an effort estimate, a cost comparison and parallel operation. Book a free remote-maintenance review · To the remote-management platform · WireGuard for site connectivity
Sources
- HMS Networks Support: Ewon Product List - Firmware Versions and Replacement Guide
- FOXON (Ewon distribution): Talk2M connectivity for Ewon 141 and CD ends in 2026
- Red Lion / HMS Networks: HMS Networks Acquires Red Lion Controls
- ARC Advisory: HMS Networks Introduces Red Lion and N-Tron as Official Product Brands
- HMS Networks: Completed divestment of MB Connect Line
- MB connect line: Independence with tradition - MB connect line takes its own path again
- SySS Tech Blog: Hacking a Secure Industrial Remote Access Gateway (Ewon Cosy+)
- NVD: CVE-2024-33892 (Ewon Cosy+)
- Shelltrail: Three new CVEs related to IXON VPN client (Local Privilege Escalation)
- WireGuard: official project site
Frequently Asked Questions
Answers to important questions about this topic
HMS Networks has listed the Ewon Cosy 141 and the entire CD generation (4101CD, 2101CD, 4001CD and others) as exit-phase products for several years. As of June 2026, remote access via Talk2M for these series ends at the end of 2026. HMS recommends moving to the Cosy+ or Flexy 205. Anyone affected has to swap hardware and faces the same choice again: re-bind to a vendor cloud or build their own platform.
HMS Networks acquired Red Lion Controls in 2024 for around 345 million US dollars and now markets Red Lion and N-Tron as official product brands. Ewon, Red Lion, N-Tron, Anybus and Ixxat all sit under one Nasdaq Stockholm-listed Swedish group. The German MB connect line (mbNET, mbCONNECT24) was carved out via a management buyout in October 2024 and is independent again. Such ownership changes show how quickly roadmaps, cloud terms and licence models can change without the user having any say.
The Cosy+ is the current successor, but it had serious vulnerabilities of its own in 2024. SySS researcher Moritz Abrell showed at DEF CON 32 a chain from CVE-2024-33892 to CVE-2024-33896 that let an unauthenticated attacker gain root access, decrypt encrypted firmware and configuration passwords, and even forge valid VPN certificates of foreign devices. It was fixed in firmware versions 21.2s10 and 22.1s3. A newer device alone does not solve the structural problem.
In three phases: inventory of sites, devices and service access; a pilot with one site running in parallel with the existing cloud; a step-by-step rollout per site with a clear rollback. Instead of a vendor cloud we build WireGuard site tunnels to every plant, browser HMI access through a central portal, role-based permissions and a complete audit log. The existing solution can keep running during migration until the cutover is safely complete.
A self-hosted platform with WireGuard, role-based access control and a complete audit trail meets core NIS2 requirements for access control, traceability and risk management far better than a black-box cloud whose logs and data locations sit with the vendor. You keep keys, logs and data sovereignty in house. This article is general information and not legal advice.
Vendor clouds typically charge per device or per concurrent connection, plus the forced hardware swap at end-of-life. An own platform runs on your own or rented EU infrastructure with predictable operating costs instead of per-device licences. Beyond a double-digit number of connected plants the build usually pays off quickly, because each additional machine no longer triggers a new licence.

Written by
Timo Wevelsiep
Co-Founder & CEO
Co-Founder of WZ-IT. Specialized in cloud infrastructure, open-source platforms and managed services for SMEs and enterprise clients worldwide.
LinkedInLet's Talk About Your Idea
Whether a specific IT challenge or just an idea - we look forward to the exchange. In a brief conversation, we'll evaluate together if and how your project fits with WZ-IT.


Timo Wevelsiep & Robin Zins
Managing Directors of WZ-IT





