PatchSiren cyber security CVE debrief
CVE-2024-49399 Elvaco CVE debrief
CVE-2024-49399 is a HIGH severity authentication bypass vulnerability in the Elvaco M-Bus Metering Gateway CMe3100, published by CISA on October 17, 2024, with an update on November 14, 2024. The vulnerability allows an unauthenticated attacker to execute commands without providing a password, potentially leading to information disclosure. The affected product is specifically Elvaco CMe3100 version 1.12.1. Elvaco has released firmware version 1.13.3 which addresses this vulnerability along with CVE-2024-49397. Organizations should upgrade to firmware 1.13.3 and ensure devices are not exposed to untrusted networks.
- Vendor
- Elvaco
- Product
- CMe3100
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-10-17
- Original CVE updated
- 2024-11-14
- Advisory published
- 2024-10-17
- Advisory updated
- 2024-11-14
Who should care
Organizations operating Elvaco CMe3100 M-Bus Metering Gateways in utility, building automation, or industrial metering environments should prioritize this update. System integrators and operators of critical infrastructure relying on M-Bus gateway devices for energy consumption monitoring should assess exposure and apply mitigations.
Technical summary
The Elvaco M-Bus Metering Gateway CMe3100 version 1.12.1 contains an authentication bypass vulnerability that allows an attacker to execute commands without providing a password. This unauthenticated access may enable an attacker to leak information from the device. The vulnerability has a CVSS 3.1 score of 7.5 (HIGH) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network exploitable, low attack complexity, no privileges required, no user interaction, and high impact to confidentiality with no integrity or availability impact. Elvaco released firmware version 1.13.3 on or before November 14, 2024, which includes security enhancements addressing this vulnerability and CVE-2024-49397. The vendor notes that additional vulnerabilities requiring authentication remain and will be addressed in a subsequent update.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Elvaco CMe3100 firmware to version 1.13.3 or later to address CVE-2024-49399
- Ensure CMe3100 devices are deployed on private or closed networks and not exposed to untrusted or internet-facing networks
- Contact Elvaco customer support for additional information regarding affected versions and upgrade procedures
- Monitor for additional security updates from Elvaco as the vendor indicates further updates are planned to address remaining vulnerabilities
- Apply network segmentation and access controls to limit exposure of industrial control system devices per CISA ICS recommended practices
Evidence notes
CISA ICS advisory ICSA-24-291-01 (Update A) published October 17, 2024, modified November 14, 2024. CVSS 3.1 score 7.5 (HIGH). Affected product confirmed as Elvaco CMe3100: 1.12.1. Vendor fix available in firmware 1.13.3 per remediation details in CSAF source.
Official resources
-
CVE-2024-49399 CVE record
CVE.org
-
CVE-2024-49399 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-10-17