PT-2019-15726 · Eq 3 · Eq-3 Homematic Ccu3+2
Psytester
·
Published
2019-11-14
·
Updated
2021-07-21
·
CVE-2019-18938
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
eQ-3 Homematic CCU2 version 2.47.20
eQ-3 Homematic CCU3 version 3.47.18
E-Mail AddOn versions through 1.6.8.c
Description
The issue allows remote code execution by unauthenticated attackers with access to the web interface. This is achieved via the "save.cgi" script for payload upload and the "testtcl.cgi" script for its execution.
Recommendations
For eQ-3 Homematic CCU2 version 2.47.20, restrict access to the web interface to prevent unauthenticated attackers from exploiting the issue.
For eQ-3 Homematic CCU3 version 3.47.18, consider disabling the save.cgi and testtcl.cgi scripts until a fix is available.
For E-Mail AddOn versions through 1.6.8.c, avoid using the affected scripts in the web interface until the issue is resolved.
Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
E-Mail Addon
Eq-3 Homematic Ccu2
Eq-3 Homematic Ccu3