CVE-2019-14475
Description
eQ-3 Homematic CCU2 2.47.15 and prior and CCU3 3.47.15 and prior use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID from CVE-2019-9583, resulting in the ability to read the service messages, clear the system protocol, create a new user in the system, or modify/delete internal programs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
eQ-3 Homematic CCU2/CCU3 with firmware prior to 2.47.15 and 3.47.15 use session IDs for authentication but lack authorization checks, allowing remote attackers to perform unauthorized actions after obtaining a valid session ID via CVE-2019-9583.
Vulnerability
CVE-2019-14475 is an improper authorization vulnerability (CWE-285) in eQ-3 Homematic CCU2 firmware versions 2.47.12, 2.47.15 and earlier, and CCU3 firmware versions 3.47.10, 3.47.15 and earlier [1]. The devices use session IDs to authenticate users but do not perform adequate authorization checks on subsequent requests. This means that once an attacker obtains a valid session ID (which can be done via CVE-2019-9583), they can access privileged functions without needing to authenticate as an authorized user [1].
Exploitation
An attacker needs to first obtain a valid session ID, which is possible through exploitation of CVE-2019-9583 as described in the advisory [1]. No authentication or prior access to the device is required; the attacker can be in a remote network position. Once the attacker has the session ID, they can send crafted HTTP requests to the CCU2 or CCU3 web interface (WebUI) to perform actions such as reading service messages, clearing the system protocol, creating new users, and modifying or deleting internal programs [1]. The advisory states that the created user account does not function fully, but the other actions are executed successfully.
Impact
Successful exploitation allows an attacker to achieve high impact on confidentiality, integrity, and availability. The attacker can read service messages (confidentiality breach), clear the system protocol (tampering with logs), create new users (persistence), and modify or delete internal programs (integrity and availability impact) [1]. The CVSSv3 score is 10.0 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating network-based exploitation with no privileges or user interaction, and scope change to affect resources beyond the vulnerable component [1].
Mitigation
As of the advisory publication date (August 2019), the vendor (eQ-3) had not released a patch for either CCU2 or CCU3 [1]. No workaround or fixed version is mentioned in the available references. The affected firmware versions are end-of-life? Not stated. It is recommended to restrict network access to the CCU devices and monitor for unauthorized session usage. Administrators should check for any available firmware updates from the vendor periodically. No fix is confirmed in the references [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- eQ-3/Homematic CCU2description
- Range: <=2.47.15
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- psytester.github.io/CVE-2019-14475mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.