PT-2019-15725 · Eq 3 · Eq-3 Homematic Ccu3+1

Psytester

Published

2019-11-14

Updated

2021-07-21

CVE-2019-18937

CVSS v2.0

7.5

High

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions eQ-3 Homematic CCU2 version 2.47.20 eQ-3 Homematic CCU3 version 3.47.18

Description The issue allows remote code execution by unauthenticated attackers with access to the web interface. This is achieved via the exec.cgi script, which executes TCL script content from an HTTP POST request.

Recommendations For eQ-3 Homematic CCU2 version 2.47.20, update the system to remove or restrict access to the exec.cgi script to prevent remote code execution. For eQ-3 Homematic CCU3 version 3.47.18, update the system to remove or restrict access to the exec.cgi script to prevent remote code execution. As a temporary workaround, consider disabling the Script Parser AddOn until a patch is available.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2019-18937

Affected Products

Eq-3 Homematic Ccu2

Eq-3 Homematic Ccu3

PT-2019-15725 · Eq 3 · Eq-3 Homematic Ccu3+1

CVE-2019-18937

Weakness Enumeration

Related Identifiers

Affected Products

References · 2