PT-2019-19726 · Eq 3 · Eq-3 Homematic Addon 'Cloudmatic'+2
Psytester
·
Published
2019-08-14
·
Updated
2020-08-24
·
CVE-2019-9584
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3
Description
The issue allows uncontrolled admin access, enabling attackers to obtain VPN profile details, shut down the VPN service, and delete the VPN service configuration. This is due to improper access control for all /addons/mh/ pages, specifically the API endpoints related to the "CloudMatic" add-on.
Recommendations
For eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3, consider restricting access to the /addons/mh/ pages as a temporary workaround until a patch is available. Avoid using the "CloudMatic" add-on until the issue is resolved to minimize the risk of exploitation.
Exploit
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Ccu2
Ccu3
Eq-3 Homematic Addon 'Cloudmatic'