CVE-2024-53561
Published: 14 January 2025
Summary
CVE-2024-53561 is a high-severity Code Injection (CWE-94) vulnerability in Arcadyan Meteor (inferred from references). Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-53561 is a remote code execution (RCE) vulnerability affecting the Arcadyan Meteor 2 CPE FG360 Firmware version ETV2.10. It allows attackers to execute arbitrary code through a crafted request, stemming from improper control of code generation as indicated by CWE-94. The vulnerability carries a CVSS v3.1 base score of 8.7, reflecting its high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.
Exploitation requires high privileges (PR:H), enabling remote attackers with such access to send a crafted request over the network without user interaction. Successful exploitation grants the ability to execute arbitrary code, achieving high confidentiality and integrity impacts across a changed scope (S:C), though availability remains unaffected (A:N).
For mitigation details, security practitioners should consult the referenced advisories, including the GitHub repository at https://github.com/Mrnmap/mrnmap-cve/blob/main/CVE-2024-53561, which may contain proof-of-concept information, and Arcadyan's 5G solutions page at https://www.arcadyan.com/en-us/solutions/idea/fiveG/ for vendor guidance on patches or updates. The vulnerability was published on January 14, 2025.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-51994
Vulnerability details
A remote code execution (RCE) vulnerability in Arcadyan Meteor 2 CPE FG360 Firmware ETV2.10 allows attackers to execute arbitrary code via a crafted request.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct RCE via crafted network request on publicly accessible CPE firmware (CWE-94) maps to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation ensures the specific firmware vulnerability in Arcadyan Meteor 2 CPE FG360 is patched, preventing RCE via crafted requests.
Information input validation directly counters improper control of code generation (CWE-94) by rejecting crafted requests that could lead to arbitrary code execution.
Least privilege limits high-privilege (PR:H) access required for exploitation, reducing the attack surface for remote attackers targeting the RCE vulnerability.