CVE-2018-7300
published 2018-02-22CVE-2018-7300: Directory Traversal / Arbitrary File Write / Remote Code Execution in the User.setLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote…
PriorityP278critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
31.75%
98.1th percentile
Directory Traversal / Arbitrary File Write / Remote Code Execution in the User.setLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to write arbitrary files to the device's filesystem. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| eq-3 | homematic_ccu2_firmware | <= 2.29.22 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /api/homematic.cgi with a JSON body containing the method 'User.setLanguage' and a userName parameter containing directory traversal sequences (e.g., '../../') and/or a null byte (\u0000). ↗
- →Flag unauthenticated JSON-RPC requests (version 1.1) to the homematic.cgi endpoint — the exploit requires no authentication credentials. ↗
- →Inspect Content-Type header for 'application/json' on POST requests to /api/homematic.cgi as the exploit explicitly sets this header. ↗
- →Alert on writes to sensitive paths such as /etc/shadow via the CCU2 web interface, as the exploit demonstrates overwriting that file with attacker-controlled content. ↗
- ·The exploit disables TLS certificate verification, so the attack works over both HTTP and HTTPS regardless of certificate validity. Detection rules must cover both schemes on the CCU2 web interface port. ↗
- ·The null-byte terminator (\u0000) appended to the userName path is essential to the traversal payload; detection signatures should account for null-byte injection within JSON string values. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-02-22
Published