CVE-2019-9584

Name of the Vulnerable Software and Affected Versions eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3

Description The issue allows uncontrolled admin access, enabling attackers to obtain VPN profile details, shut down the VPN service, and delete the VPN service configuration. This is due to improper access control for all /addons/mh/ pages, specifically the API endpoints related to the "CloudMatic" add-on.

Recommendations For eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3, consider restricting access to the /addons/mh/ pages as a temporary workaround until a patch is available. Avoid using the "CloudMatic" add-on until the issue is resolved to minimize the risk of exploitation.