CVE-2019-14986

Vulnerability

The eQ-3 Homematic CCU2 and CCU3 central units, when the third-party CUxD AddOn version 2.2.0 or earlier is installed, expose administrative interfaces such as File-Browser, Shell Command, and the ability to set the root password. These functions are accessible via the URL path /addons/cuxd/maintenance.html without any authentication. The vendor eQ-3 considers the AddOn a third-party extension and did not provide a central fix, leaving the remediation to the CUxD developer. [1]

Exploitation

An unauthenticated attacker with network access to the Homematic CCU2 or CCU3 web interface (typically port 80) can navigate directly to the maintenance page. From there, they can execute shell commands, browse the file system, or change the root password without requiring any prior access, credentials, or user interaction. [1]

Impact

Successful exploitation grants an attacker full administrative control over the Homematic CCU. They can read, modify, or delete all files on the device, execute arbitrary commands as root, and permanently lock out legitimate administrators by changing the root password. Given the network-accessible attack vector, this leads to complete compromise of the home automation central unit. [1]

Mitigation

The CUxD AddOn developer released version 2.3.0, which introduces proper access controls and fixes the vulnerability. Users must manually update the AddOn to version 2.3.0 or later via the Homematic WebUI AddOn management. No workarounds are documented; disabling the CUxD AddOn entirely also eliminates the vulnerable interface. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the report date. [1]