CVE-2018-7300

Vulnerability

The Homematic CCU2 central control unit (versions 2.29.2 and earlier) contains a directory traversal vulnerability in the User.setLanguage JSON API method. The method can be invoked without authentication and writes user-controlled input to a file path constructed from the userName parameter. By injecting path traversal sequences (e.g., ../../../../../../../..) and a null byte (\u0000) to truncate the appended .lang suffix, an attacker can write arbitrary content to any location on the device's filesystem [1][2].

Exploitation

An unauthenticated attacker with network access to the web interface sends a crafted HTTP POST request to /api/homematic.cgi with a JSON body containing the desired file path (using traversal) in userName and the file content in userLang. The null byte in userName prevents the .lang extension from being appended. This can be executed without any prior authentication or user interaction [1][2].

Impact

Successful exploitation allows an attacker to create or overwrite arbitrary files on the CCU2 filesystem. This can lead to full remote code execution, for example by overwriting system scripts or configuration files, or by writing a web shell. The attacker gains complete control over the device, potentially compromising the entire home automation network [1].

Mitigation

As of the available references, no official patch has been released for this vulnerability. Users should restrict network access to the CCU2 web interface to trusted hosts only, and consider isolating the device from the internet. The device may be at end of life; contact the vendor (eQ-3) for further guidance.