Eq-3 Ccu2 Firmware vulnerabilities
8 known vulnerabilities affecting eq-3/ccu2_firmware.
Total CVEs
8
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL3HIGH4MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2019-14423P2HIGHCVSS 8.8≥ 2.35.16, ≤ 2.45.62019-10-17
CVE-2019-14423 [HIGH] CWE-78 CVE-2019-14423: A Remote Code Execution (RCE) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware
A Remote Code Execution (RCE) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to execute system commands as root remotely via a simple HTTP request.
nvd
CVE-2019-10122P3CRITICALCVSS 9.8fixed in 2.41.92019-07-10
CVE-2019-10122 [CRITICAL] CWE-787 CVE-2019-10122: eQ-3 HomeMatic CCU2 devices before 2.41.9 and CCU3 devices before 3.43.16 have buffer overflows in t
eQ-3 HomeMatic CCU2 devices before 2.41.9 and CCU3 devices before 3.43.16 have buffer overflows in the ReGa ise GmbH HTTP-Server 2.0 component, aka HMCCU-179. This may lead to remote code execution.
nvd
CVE-2019-10121P3CRITICALCVSS 9.8fixed in 2.41.82019-07-10
CVE-2019-10121 [CRITICAL] CWE-306 CVE-2019-10121: eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.15 use session IDs for authen
eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.15 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via the user authentication dialogue, aka HMCCU-153. This leads to automatic login as admin.
nvd
CVE-2019-10119P3CRITICALCVSS 9.8fixed in 2.41.82019-07-10
CVE-2019-10119 [CRITICAL] CWE-306 CVE-2019-10119: eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authen
eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via an invalid login attempt to the RemoteApi account, aka HMCCU-154. This leads to automatic login as admin.
nvd
CVE-2019-14473P3HIGHCVSS 8.8≤ 2.47.152019-08-06
CVE-2019-14473 [HIGH] CWE-862 CVE-2019-14473: eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but lack authorization checks. Conse
eQ-3 Homematic CCU2 and CCU3 use session IDs for authentication but lack authorization checks. Consequently, a valid guest level or user level account can create a new admin level account, read the service messages, clear the system protocol or modify/delete internal programs, etc. pp.
nvd
CVE-2019-10120P3HIGHCVSS 8.8fixed in 2.41.82019-07-10
CVE-2019-10120 [HIGH] CWE-384 CVE-2019-10120: On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login config
On eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16, automatic login configuration (aka setAutoLogin) can be achieved by continuing to use a session ID after a logout, aka HMCCU-154.
nvd
CVE-2019-14475P3HIGHCVSS 7.5≤ 2.47.152019-08-05
CVE-2019-14475 [HIGH] CWE-862 CVE-2019-14475: eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use session IDs for authentication
eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID from CVE-2019-9583, resulting in the ability to read the service messages, clear the system protocol, create a new user in the system, or modify/delete internal programs.
nvd
CVE-2019-14424P4MEDIUMCVSS 6.5≥ 2.35.16, ≤ 2.45.62019-10-17
CVE-2019-14424 [MEDIUM] CWE-22 CVE-2019-14424: A Local File Inclusion (LFI) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware
A Local File Inclusion (LFI) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to read sensitive files via a simple HTTP Request.
nvd