CVE-2019-14473

Vulnerability

The eQ-3 Homematic CCU2 and CCU3 central control units use session IDs for authentication but lack proper authorization checks on subsequent actions. This means that once a user is authenticated with any valid session (even at guest or user level), the system does not verify whether that user is authorized to perform privileged operations. The affected firmware versions are CCU2 2.47.12 and 2.47.15 (and likely earlier versions) and CCU3 3.47.10 and 3.47.15 (and likely earlier versions) [1].

Exploitation

An attacker needs only a valid guest-level or user-level account on the Homematic CCU2 or CCU3. With network access to the web interface, the attacker can use the authenticated session to issue requests that should require admin privileges. The concrete steps include: using the existing session to create a new admin-level account, reading service messages, clearing the system protocol, or modifying/deleting internal programs [1]. No additional authentication or user interaction is required beyond the initial low-privilege login.

Impact

Successful exploitation allows the attacker to escalate privileges to admin level, gaining full control over the Homematic CCU. The attacker can then read sensitive service messages, clear system logs to cover tracks, and modify or delete internal programs that control smart home devices. This compromises the confidentiality, integrity, and availability of the entire smart home system, potentially allowing physical actions (e.g., unlocking doors, disabling alarms) depending on connected devices [1].

Mitigation

As of the publication date (2019-08-06), no official patch or workaround has been released by eQ-3. The vendor was contacted but did not confirm or provide a fix [1]. Users should monitor the vendor's website for future updates. In the meantime, restrict network access to the CCU2/CCU3 to trusted users only, and consider using separate VLANs or firewall rules to limit exposure. Regularly review user accounts and logs for suspicious activity.