Cyber Resilience

CVE-2024-56180

CriticalRCE

Published: 14 February 2025

Published
14 February 2025
Modified
14 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 68.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56180 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Eventmesh. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 31.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-56180 is a CWE-502 Deserialization of Untrusted Data vulnerability in the eventmesh-meta-raft plugin module of Apache EventMesh master branch, excluding release versions, on Windows, Linux, and macOS platforms. The flaw allows attackers to send controlled messages that trigger remote code execution via the Hessian deserialization RPC protocol.

Remote attackers can exploit this vulnerability with network access, no privileges required, low attack complexity, and no user interaction needed. Exploitation yields high-impact confidentiality, integrity, and availability effects, resulting in a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Apache advisories indicate that users should apply the fixed code from the master branch in the project repository or upgrade to version 1.11.0 to mitigate the issue. Relevant discussions appear in the Apache mailing list and oss-security announcements.

EU & UK References

Vulnerability details

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can…

more

use the code under the master branch in project repo or version 1.11.0 to fix this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct RCE via untrusted deserialization over network-accessible RPC enables exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40473Same vendor: Apache
CVE-2026-33454Same vendor: Apache
CVE-2025-61622Same vendor: Apache
CVE-2026-42359Same vendor: Apache
CVE-2024-54676Same vendor: Apache
CVE-2026-40860Same vendor: Apache
CVE-2026-25747Same vendor: Apache
CVE-2026-41409Same vendor: Apache
CVE-2026-42779Same vendor: Apache
CVE-2024-52577Same vendor: Apache

Affected Assets

apache
eventmesh
1.10.1 — 1.11.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the deserialization vulnerability by requiring timely patching to the fixed Apache EventMesh version 1.11.0 or master branch code.

prevent

Requires validation of untrusted RPC inputs to block controlled messages that trigger Hessian deserialization leading to RCE.

prevent

Implements memory safeguards like DEP and ASLR to protect against unauthorized code execution resulting from successful deserialization exploits.

References