CVE-2019-14474

Vulnerability

The vulnerability resides in the ReGa core logic process of eQ-3 Homematic CCU3 firmware version 3.47.15 and earlier. The Call() function fails to properly validate input (CWE-20), enabling a denial of service condition. Affected versions include 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, and 3.47.15 as tested [1]. No vendor patch or official reference was provided by the vendor at disclosure time [1].

Exploitation

An attacker can exploit this vulnerability without requiring any privileges by first obtaining a valid session ID, either through CVE-2019-9583 (which allows session ID theft due to improper authorization) or by having a legitimate guest, user, or admin account [1]. The attack does not require user interaction and can be performed over the network (CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) [1]. The attacker sends crafted input to the Call() function, triggering the denial of service.

Impact

Successful exploitation results in a denial of service (availability impact) against the CCU3 system. The attack does not disclose confidential information or affect data integrity; it solely disrupts the smart home control unit's ability to function. The CVSSv3 base score is 7.5 (High) [1].

Mitigation

As of the publication date (August 2019), no vendor patch or official workaround had been released [1]. The vendor was contacted on 8 May 2019 but did not confirm receipt or provide a fix timeline [1]. Users are advised to monitor vendor channels for a future firmware update. There is no indication that this CVE has been added to CISA's Known Exploited Vulnerabilities catalog.