Cyber Posture

CVE-2024-56180

CriticalRCE

Published: 14 February 2025

Published
14 February 2025
Modified
14 July 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0054 67.8th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-56180 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Apache Eventmesh. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly mitigates the deserialization vulnerability by requiring timely patching to the fixed Apache EventMesh version 1.11.0 or master branch code.

SI-10 Information Input Validation good match
prevent

Requires validation of untrusted RPC inputs to block controlled messages that trigger Hessian deserialization leading to RCE.

SI-16 Memory Protection partial match
prevent

Implements memory safeguards like DEP and ASLR to protect against unauthorized code execution resulting from successful deserialization exploits.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Direct RCE via untrusted deserialization over network-accessible RPC enables exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

CWE-502 Deserialization of Untrusted Data at the eventmesh-meta-raft plugin module in Apache EventMesh master branch without release version on windows\linux\mac os e.g. platforms allows attackers to send controlled message and remote code execute via hessian deserialization rpc protocol. Users can…

more

use the code under the master branch in project repo or version 1.11.0 to fix this issue.

Deeper analysisAI

CVE-2024-56180 is a CWE-502 Deserialization of Untrusted Data vulnerability in the eventmesh-meta-raft plugin module of Apache EventMesh master branch, excluding release versions, on Windows, Linux, and macOS platforms. The flaw allows attackers to send controlled messages that trigger remote code execution via the Hessian deserialization RPC protocol.

Remote attackers can exploit this vulnerability with network access, no privileges required, low attack complexity, and no user interaction needed. Exploitation yields high-impact confidentiality, integrity, and availability effects, resulting in a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Apache advisories indicate that users should apply the fixed code from the master branch in the project repository or upgrade to version 1.11.0 to mitigate the issue. Relevant discussions appear in the Apache mailing list and oss-security announcements.

Details

CWE(s)
CWE-502

Affected Products

apache
eventmesh
1.10.1 — 1.11.0

CVEs Like This One

CVE-2025-61622Same vendor: Apache
CVE-2024-52577Same vendor: Apache
CVE-2026-41635Same vendor: Apache
CVE-2024-54676Same vendor: Apache
CVE-2026-40473Same vendor: Apache
CVE-2026-42779Same vendor: Apache
CVE-2025-53606Same vendor: Apache
CVE-2026-25747Same vendor: Apache
CVE-2026-40860Same vendor: Apache
CVE-2026-41409Same vendor: Apache

References