CVE-2024-49396 Elvaco CVE debrief

Who should care

Organizations operating Elvaco CMe3100 M-Bus Metering Gateway devices in utility, building automation, or industrial metering environments; ICS security teams responsible for M-Bus infrastructure; and critical infrastructure operators relying on accurate metering data for billing or operational decisions.

Technical summary

The Elvaco CMe3100 M-Bus Metering Gateway contains a vulnerability where credentials are insufficiently protected, enabling attackers to impersonate the vendor and inject false information into the system. The CVSS 3.1 score of 7.5 reflects network accessibility with low attack complexity, no required privileges or user interaction, and high impact to integrity. The vendor has indicated that remaining vulnerabilities require authentication, reducing immediate risk, and is developing additional security updates.

Defensive priority

HIGH

Recommended defensive actions

• Contact Elvaco customer support for affected product versions to obtain security update information and remediation guidance
• Monitor for additional security updates from Elvaco addressing remaining authenticated vulnerabilities
• Review and implement CISA ICS recommended practices for securing industrial control systems
• Apply network segmentation and access controls to limit exposure of M-Bus Metering Gateway devices
• Ensure strong authentication mechanisms are enforced for all administrative access to affected devices

Evidence notes

Vulnerability description and remediation details sourced from CISA CSAF advisory ICSA-24-291-01. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. Affected product confirmed as Elvaco CMe3100 version 1.12.1. Vendor assessment that remaining issues require authentication per Update A (2024-11-14).

Official resources