Cyber Resilience

CVE-2024-53561

HighRCE

Published: 14 January 2025

Published
14 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0171 82.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53561 is a high-severity Code Injection (CWE-94) vulnerability in Arcadyan Meteor (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 17.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-53561 is a remote code execution (RCE) vulnerability affecting the Arcadyan Meteor 2 CPE FG360 Firmware version ETV2.10. It allows attackers to execute arbitrary code through a crafted request, stemming from improper control of code generation as indicated by CWE-94. The vulnerability carries a CVSS v3.1 base score of 8.7, reflecting its high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

Exploitation requires high privileges (PR:H), enabling remote attackers with such access to send a crafted request over the network without user interaction. Successful exploitation grants the ability to execute arbitrary code, achieving high confidentiality and integrity impacts across a changed scope (S:C), though availability remains unaffected (A:N).

For mitigation details, security practitioners should consult the referenced advisories, including the GitHub repository at https://github.com/Mrnmap/mrnmap-cve/blob/main/CVE-2024-53561, which may contain proof-of-concept information, and Arcadyan's 5G solutions page at https://www.arcadyan.com/en-us/solutions/idea/fiveG/ for vendor guidance on patches or updates. The vulnerability was published on January 14, 2025.

EU & UK References

Vulnerability details

A remote code execution (RCE) vulnerability in Arcadyan Meteor 2 CPE FG360 Firmware ETV2.10 allows attackers to execute arbitrary code via a crafted request.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via crafted network request on publicly accessible CPE firmware (CWE-94) maps to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-13773Shared CWE-94
CVE-2025-50692Shared CWE-94
CVE-2026-30643Shared CWE-94
CVE-2026-30460Shared CWE-94
CVE-2025-71243Shared CWE-94
CVE-2026-44262Shared CWE-94
CVE-2024-13792Shared CWE-94
CVE-2020-37052Shared CWE-94
CVE-2026-42555Shared CWE-94
CVE-2025-65037Shared CWE-94

Affected Assets

Arcadyan
Meteor
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation ensures the specific firmware vulnerability in Arcadyan Meteor 2 CPE FG360 is patched, preventing RCE via crafted requests.

prevent

Information input validation directly counters improper control of code generation (CWE-94) by rejecting crafted requests that could lead to arbitrary code execution.

prevent

Least privilege limits high-privilege (PR:H) access required for exploitation, reducing the attack surface for remote attackers targeting the RCE vulnerability.

References