CVE-2018-7301

Vulnerability

HomeMatic CCU2 firmware version 2.29.22 exposes an XML-RPC service on TCP port 2001 without any authentication. This service is accessible over the local network and, if reachable, from the Internet. The XML-RPC interface provides methods to control and configure attached BidCos devices (sensors, actuators, etc.). The lack of authentication allows anyone who can send HTTP requests to the port to invoke any available method.

Exploitation

An attacker with network access to the CCU2 device can send arbitrary XML-RPC requests to port 2001. No prior authentication or user interaction is required. The attacker can use tools like curl to issue method calls, as demonstrated in the advisory [1]. For example, system.listMethods returns the full list of available RPC methods.

Impact

Successful exploitation enables the attacker to fully control all BidCos devices connected to the CCU2. They can turn actuators on/off, read sensor values, change device parameters, add or delete devices, and perform other administrative actions. The CIA impact is high for the home automation system, as the attacker can manipulate device state and potentially disrupt home operations.

Mitigation

As of the publication date (2018-02-22), no fixed firmware version had been released by eQ-3. The vendor has not publicly acknowledged the issue or provided a patch. Users should restrict network access to the CCU2, ensuring port 2001 is not exposed to untrusted networks. Firewall rules or VLAN segmentation can limit exposure. The device should be isolated from the Internet unless absolutely necessary.