Elvaco M-Bus Metering Gateway CMe3100 (Update A)

Act Now9.1ICS-CERT ICSA-24-291-01Oct 17, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Elvaco CMe3100 M-Bus Metering Gateway contains multiple vulnerabilities that could allow remote code execution, false data injection, and authentication bypass. CVE-2024-49397 allows attackers to bypass authentication without credentials. CVE-2024-49399 enables unauthorized remote access. Additional vulnerabilities (CWE-522, CWE-79, CWE-434) exist but require prior authentication. These affect devices exposed on untrusted networks or without firewall protection. Elvaco has released firmware 1.13.3 addressing the authentication bypass and unauthorized access issues. Remaining vulnerabilities will be addressed in a future update.

What this means

What could happen

An attacker with network access to an unprotected M-Bus metering gateway could bypass authentication and execute code on the device, allowing them to send false meter readings, disrupt data collection, or compromise the entire metering network.

Who's at risk

Water authorities, electric utilities, and other municipal service providers operating M-Bus metering networks. The CMe3100 gateway device typically sits between smart meters and data collection systems, making it critical to billing, consumption monitoring, and operational visibility.

How it could be exploited

An attacker on the same network or with internet access to an exposed CMe3100 can send specially crafted network requests to bypass authentication controls (CVE-2024-49397), then use the authenticated access to upload malicious code or manipulate device functions (CVE-2024-49399 and others).

Prerequisites

Network access to the CMe3100 device (no authentication required for initial bypass)
Device not protected by firewall or network segmentation
Device exposed to untrusted networks or the internet

Remotely exploitableNo authentication required for initial attackLow complexity attackAffects critical infrastructure metering systemsDefault or weak segmentation exposes device to internet

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

CMe3100: 1.12.11.12.11.13.3

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGPlace CMe3100 behind a firewall and isolate it from business networks and internet access

HARDENINGIf remote access is required, use a VPN with strong authentication and keep VPN software updated

WORKAROUNDRestrict network access to the device to only authorized management stations on a dedicated VLAN

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CMe3100 firmware to version 1.13.3 or later

CVEs (4)

CVE-2024-49396 CVE-2024-49397 CVE-2024-49398 CVE-2024-49399

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/844bbb37-f1ad-48dd-9e35-fbb3f91c371c