PT-2019-13912 · Eq 3 · Cuxd Addon+2

Psytester

Published

2019-08-13

Updated

2020-08-24

CVE-2019-14985

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed

Description The issue allows for Remote Code Execution by unauthenticated attackers who have access to the web interface. This is possible because the web interface can access the CMD EXEC virtual device type 28.

Recommendations For eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed, consider restricting access to the web interface to prevent unauthenticated attackers from exploiting this issue. As a temporary workaround, limit access to the CMD EXEC virtual device type 28 until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

CVE-2019-14985

Affected Products

Cuxd Addon

Eq-3 Homematic Ccu2

Eq-3 Homematic Ccu3

PT-2019-13912 · Eq 3 · Cuxd Addon+2

CVE-2019-14985

Weakness Enumeration

Related Identifiers

Affected Products

References · 3