ICSA-24-291-01 · Published 2024-11-14 · View on CISA ICS-CERT ↗

Elvaco M-Bus Metering Gateway CMe3100 (Update A)

CVSS 9.1 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow an attacker to perform remote code execution, impersonate and send false information, or bypass authentication.

CVEs (4)

CVE-2024-49396 CVE-2024-49397 CVE-2024-49398 CVE-2024-49399

Remediations

Elvaco believes that the remaining identified vulnerabilities require authentication to the device in order to be exploited posing less immediate risk. They are actively working to address these and will release an additional update shortly to mitigate any remaining risks and further optimize security.
Users of affected versions of M-Bus Metering Gateway CMe3100 are invited to contact Elvaco customer support for additional information.
Elvaco made security enhancements to software version 1.13.3 which is now available for download at CMe3100 Firmware Download. This release addresses and mitigates the risk of an attacker bypassing authentication to gain access to a device not hidden on private/closed network (CVE-2024-49397) and unauthorized remote access (CVE-2024-49399).

Affected Vendors

Elvaco

Affected Products (1)

Elvaco · CMe3100 1.12.1

Affected Sectors

Critical Manufacturing, Energy

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more