PatchSiren cyber security CVE debrief
CVE-2024-49397 Elvaco CVE debrief
A stored cross-site scripting (XSS) vulnerability in the Elvaco CMe3100 M-Bus Metering Gateway allows unauthenticated remote attackers to bypass authentication and compromise administrative accounts. The flaw, rated CVSS 3.1 8.1 (High), was disclosed by CISA on October 17, 2024, with an advisory update on November 14, 2024 adding mitigation guidance. The affected version is 1.12.1. Elvaco released firmware version 1.13.3 on or before November 14, 2024, which contains security enhancements addressing this authentication bypass vector. Organizations should upgrade immediately and ensure devices are not exposed to untrusted networks.
- Vendor
- Elvaco
- Product
- CMe3100
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-17
- Original CVE updated
- 2024-11-14
- Advisory published
- 2024-10-17
- Advisory updated
- 2024-11-14
Who should care
Organizations operating Elvaco CMe3100 M-Bus Metering Gateways in utility, building automation, or industrial metering environments; OT security teams managing M-Bus infrastructure; and critical infrastructure operators relying on secure gateway communications for energy or water metering data collection.
Technical summary
The Elvaco CMe3100 M-Bus Metering Gateway version 1.12.1 contains a stored cross-site scripting vulnerability that can be exploited without authentication. Successful exploitation allows an attacker to bypass authentication mechanisms and gain administrative control of the device. The attack complexity is rated as high per CVSS 3.1, indicating some conditions must be met for exploitation. The vulnerability has network attack vector with no privileges required. Elvaco addressed this specific authentication bypass risk in firmware version 1.13.3, released as a vendor fix. Additional vulnerabilities requiring authentication remain under active remediation by the vendor.
Defensive priority
critical
Recommended defensive actions
- Upgrade Elvaco CMe3100 firmware to version 1.13.3 or later to address the authentication bypass vulnerability
- Ensure CMe3100 devices are deployed on private or closed networks and not directly exposed to untrusted networks
- Review and apply CISA ICS recommended practices for securing industrial control systems
- Contact Elvaco customer support for additional information if running affected firmware versions
- Monitor for additional security updates from Elvaco as they continue addressing remaining authenticated vulnerabilities
Evidence notes
CISA ICS Advisory ICSA-24-291-01 (initial) and Update A (2024-11-14) document the XSS vulnerability enabling authentication bypass and admin account takeover. CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H confirms network attack vector with high confidentiality, integrity, and availability impact. Remediation details specify firmware 1.13.3 as the vendor fix.
Official resources
-
CVE-2024-49397 CVE record
CVE.org
-
CVE-2024-49397 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-17