Elvaco M-Bus Metering Gateway CMe3100 (Update A)

Plan PatchCVSS 9.1ICS-CERT ICSA-24-291-01Oct 17, 2024

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in Elvaco CMe3100 M-Bus Metering Gateway allow unauthenticated attackers to bypass authentication, impersonate the device, and send false meter readings or commands. Additional post-authentication vulnerabilities require valid credentials but could lead to remote code execution and data manipulation. CMe3100 firmware version 1.12.1 is affected. Vulnerabilities CVE-2024-49397 and CVE-2024-49399 are addressed in firmware version 1.13.3. Remaining vulnerabilities are under active development for mitigation.

What this means

What could happen

An attacker could bypass authentication to gain remote access to your M-Bus gateway and send false meter readings or commands to connected devices. Remaining vulnerabilities require authentication but could allow an attacker to execute code or manipulate data on the device.

Who's at risk

Water and electric utilities using Elvaco M-Bus Metering Gateway CMe3100 devices for meter data collection. This affects any organization relying on this gateway to collect consumption readings from smart meters and remote measurement devices connected via the M-Bus protocol.

How it could be exploited

An attacker on the network can reach the CMe3100 device and exploit unauthenticated remote access vulnerabilities to gain initial access without credentials. Once authenticated, post-authentication vulnerabilities could allow code execution or data manipulation affecting meter readings and device commands.

Prerequisites

Network access to the CMe3100 device on port HTTP/HTTPS
Device not behind a firewall or on an internet-exposed network

remotely exploitableno authentication required for initial accesslow complexityhigh CVSS score (9.1)affects meter data integrity and device control

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (1)

ProductAffected VersionsFix Status

CMe3100: 1.12.11.12.11.13.3

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict network access to the CMe3100 device—place it behind a firewall and ensure it is not reachable from the internet or untrusted networks

HARDENINGIf remote access to the CMe3100 is required, use a VPN with encryption and access controls rather than direct internet exposure

HARDENINGChange any default credentials on the CMe3100 device and ensure authentication is enabled on all administrative interfaces

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CMe3100 firmware to version 1.13.3 or later

Long-term hardening

0/1

HARDENINGSegment your metering gateway network from business networks to limit lateral movement if the device is compromised

CVEs (4)

CVE-2024-49396 CVE-2024-49397 CVE-2024-49398 CVE-2024-49399

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/844bbb37-f1ad-48dd-9e35-fbb3f91c371c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.