PatchSiren cyber security CVE debrief
CVE-2024-49398 Elvaco CVE debrief
CVE-2024-49398 is a critical vulnerability (CVSS 9.1) affecting the Elvaco M-Bus Metering Gateway CMe3100, specifically version 1.12.1. The vulnerability stems from unrestricted file uploads, which may allow an attacker to remotely execute code on affected devices. CISA published this advisory on October 17, 2024, with an update (Update A) on November 14, 2024, adding mitigation information. The vendor, Elvaco, has indicated that exploitation of remaining identified vulnerabilities requires authentication to the device, reducing immediate risk. Elvaco is actively working on additional updates to address remaining risks and optimize security. Users of affected versions should contact Elvaco customer support for additional information and remediation guidance.
- Vendor
- Elvaco
- Product
- CMe3100
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-17
- Original CVE updated
- 2024-11-14
- Advisory published
- 2024-10-17
- Advisory updated
- 2024-11-14
Who should care
Organizations operating Elvaco CMe3100 M-Bus Metering Gateway devices in industrial control system (ICS) or operational technology (OT) environments, particularly those in energy, utilities, and building automation sectors utilizing M-Bus metering infrastructure.
Technical summary
The Elvaco CMe3100 M-Bus Metering Gateway version 1.12.1 contains an unrestricted file upload vulnerability that may enable remote code execution. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) indicates the vulnerability is network-exploitable with low attack complexity, requiring no privileges or user interaction, with high impact to integrity and availability. CISA's November 14, 2024 update added mitigation information, noting that remaining vulnerabilities require authentication for exploitation. The vendor is developing additional security updates.
Defensive priority
critical
Recommended defensive actions
- Contact Elvaco customer support immediately for remediation guidance and additional information regarding affected M-Bus Metering Gateway CMe3100 devices
- Apply vendor-provided updates as they become available; Elvaco is actively working on additional security updates to address remaining risks
- Implement network segmentation to limit exposure of ICS devices to untrusted networks
- Follow CISA ICS recommended practices for defense-in-depth strategies
- Monitor for unauthorized access attempts or anomalous file upload activities on affected gateway devices
Evidence notes
Vulnerability confirmed via CISA CSAF advisory ICSA-24-291-01. Affected product explicitly identified as Elvaco CMe3100 version 1.12.1. CVSS 3.1 vector confirms network attack vector with low complexity, no privileges required, and high impact to integrity and availability.
Official resources
-
CVE-2024-49398 CVE record
CVE.org
-
CVE-2024-49398 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-17