CVE-2018-7297
Description
Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated remote code execution via TCL script interpreter in Homematic CCU2 web interface allows full system compromise.
Vulnerability
The Homematic CCU2 central control unit (versions 2.29.2 and earlier) contains a remote code execution vulnerability in its TCL script interpreter. The web interface exposes the endpoint /Text.exe on ports 80 and 8181, which accepts POST requests containing TCL scripts. The interpreter executes these scripts without any session handling or authentication, allowing arbitrary TCL commands to be run on the device [1][2].
Exploitation
An unauthenticated attacker with network access to the CCU2's web interface can send a crafted POST request to /Text.exe with a TCL script payload. The script uses the system.Exec function to execute arbitrary system commands. For example, sending a script that runs cat /etc/shadow returns the file contents. The exploit requires no prior authentication or user interaction [1][2].
Impact
Successful exploitation grants the attacker read/write access to the filesystem and the ability to execute system commands with the privileges of the web server process. This can lead to full compromise of the CCU2 device, including disclosure of sensitive data (e.g., passwords), modification of system files, and potential lateral movement within the home automation network [1][2].
Mitigation
The vendor eQ-3 AG has not released a patch for this vulnerability as of the publication date. Users are advised to restrict network access to the CCU2 web interface to trusted networks only, and to monitor for firmware updates. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. If possible, disable remote access to the web interface [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=2.29.2
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The TCL script interpreter at /Test.exe lacks any authentication or session handling, allowing unauthenticated remote execution of arbitrary TCL scripts."
Attack vector
An unauthenticated attacker with network access to the Homematic CCU2 web interface sends a POST request to `/Test.exe` on port 80 or 8181 [ref_id=1]. The request body contains a TCL script that invokes `system.Exec()` with an arbitrary operating-system command [ref_id=1]. The TCL interpreter executes the script without any session or authentication check, returning the command output in the HTTP response [ref_id=1].
Affected code
The TCL script interpreter exposed via the `/Test.exe` endpoint on ports 80 and 8181 is the vulnerable component [ref_id=1]. No authentication or session handling protects this endpoint, allowing arbitrary TCL script execution [ref_id=1].
What the fix does
The advisory does not provide a patch or vendor fix [ref_id=1]. Remediation requires restricting access to the `/Test.exe` endpoint, implementing authentication and session handling for the TCL interpreter, or disabling the endpoint entirely [ref_id=1].
Preconditions
- networkAttacker must have network access to the Homematic CCU2 web interface on port 80 or 8181
- authNo authentication or session is required
Reproduction
1. Send a POST request to `http://
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/44368/mitreexploitx_refsource_EXPLOIT-DB
- atomic111.github.io/article/homematic-ccu2-remote-code-executionmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.