CVE-2019-14985

Vulnerability

The eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed expose an unprotected virtual device type 28 (CMD_EXEC) that allows remote code execution. The CUxD AddOn version 2.3.4 and prior, along with affected firmware versions (CCU2: 2.35.16–2.47.15; CCU3: 3.41.11–3.47.15) are vulnerable. The web interface can access this device without authentication, enabling arbitrary command execution [1].

Exploitation

An attacker only requires network access to the web interface of the Homematic CCU. No authentication or user interaction is needed. By sending crafted HTTP requests to trigger the CMD_EXEC virtual device, the attacker can execute arbitrary operating system commands with root privileges [1].

Impact

Successful exploitation leads to complete compromise of the CCU device. The attacker gains remote code execution as root, resulting in full loss of confidentiality, integrity, and availability. The CVSSv3 base score is 10.0 (Critical) [1].

Mitigation

As of the publication date, no official patch is available from eQ-3 (the vendor states it is not responsible for AddOns) or from the CUxD developer. The only mitigation is to restrict or disable access to the web interface, or to remove the CUxD AddOn entirely. Users should consider network-level controls to limit exposure until a fix is released [1].