cbcvebase.
CVE-2018-7297
published 2018-02-22

CVE-2018-7297: Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and…

PriorityP189critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
65.27%
99.2th percentile
Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.

Affected

1 ranges
VendorProductVersion rangeFixed in
eq-3homematic_central_control_unit_ccu2_firmware<= 2.29.22

Detection & IOCsextracted from sources · hover to see the quote

commandstring stdout;string stderr;system.Exec("<cmd>", stdout, stderr);
hash49495c9aa08d7859fec1f99f487560b59d8a8914811746181e4e7edbee85341f
hashd068e8f781879774f0bcc1f2a116211d41194b67024fe45966c8272a8038a7a1
hash1583fd1c6607b77f51411c4ad7c9225324fd1b069645062a348cd885de0ac382
hash7e20c6cea88ade6a6c4a08ce48fe4ac2451069b7662a8dda4362a304b4854ec7
hash0b05202f4da9bbe1af1811707a76544453282c4f3c0ac9b353759c86742f4369
hash73df4e952c581afc427fa18fa2d0bcfa409c1814cd872a3ccf05d44f934ce780
hashc082c39e595c7f23c04ce0d6597657d6e649585d5da49b5bd896e664b712e60d
hash500dd4c1a5c24495c3bb8173ce5c7b15ba3344aef855090b9b9585b2bfeea974
bytes
XOR key 0x87, cumulative byte-wise XOR string encryption
  • Exploit targets the /Test.exe endpoint on Homematic CCU2 via HTTP POST, injecting TCL commands through the system.Exec() function in the request body. Monitor for POST requests to this path.
  • Exploit payload uses TCL interpreter's system.Exec() call embedded in the POST body with the pattern 'string stdout;string stderr;system.Exec(...)'. Detect this string pattern in HTTP POST body traffic to CCU2 devices.
  • CVE-2018-7297 is exploitable by unauthenticated attackers via the web interface. Absence of authentication headers in POST requests to /Test.exe should be treated as suspicious.
  • Hide 'N Seek botnet samples exploiting CVE-2018-7297 use a cumulative byte-wise XOR with key 0x87 for string decryption. Use this decryption scheme when reverse-engineering captured samples.
  • Hide 'N Seek botnet variant exploiting CVE-2018-7297 can be tracked in AutoFocus using the tag HideNSeek.
  • ·The exploit targets Homematic CCU2 versions 2.29.2 and earlier (PoC specifically references 2.29.23). Devices running versions above this threshold are not affected by this specific CVE.
  • ·Hard-coded P2P peer IPs and ports used by the Hide 'N Seek variant differ between samples and versions; refer to the Palo Alto Networks GitHub page for the full current list rather than relying on a static set.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.