CVE-2019-15849
Description
eQ-3 HomeMatic CCU3 firmware 3.41.11 allows session fixation. An attacker can create session IDs and send them to the victim. After the victim logs in to the session, the attacker can use that session. The attacker could create SSH logins after a valid session and easily compromise the system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
HomeMatic CCU3 firmware 3.41.11 allows session fixation; an attacker can pre-set a session ID and, after victim login, hijack the session to gain SSH access and compromise the system.
Vulnerability
HomeMatic CCU3 firmware version 3.41.11 suffers from a session fixation vulnerability in its web-based login interface (login.htm). When a user accesses the login page, the system generates a session ID (SID) that is appended to the URL. The session ID is not regenerated upon successful authentication, meaning the same identifier persists before and after login. This allows an attacker to fixate a session ID that will be reused by the victim [2].
Exploitation
An attacker must first obtain a valid session ID by visiting the CCU3 login page (e.g., http://192.168.0.125/login.htm). The server responds with a URL containing a sid parameter (e.g., ?sid=@s8JJ2bEJOr@). The attacker then sends this crafted URL to a victim who is a legitimate user of the CCU3. If the victim clicks the link and logs in to the web interface, the attacker can reuse the same session ID to gain access without additional authentication. The attacker must be on the same network or be able to deliver the malicious link to the victim [2].
Impact
Successful exploitation allows the attacker to hijack an authenticated session and obtain the same privileges as the victim. Because the victim is often an administrator, the attacker can then create SSH logins, access sensitive configuration files, and fully compromise the HomeMatic CCU3 system. This leads to a complete loss of confidentiality, integrity, and availability of the smart home central unit [1][2].
Mitigation
eQ-3 has discontinued the Homematic (Classic) product line, but continues to provide security-relevant updates for at least ten years from the announcement date (June 2023) [1]. Users should upgrade to the latest available firmware version for CCU3 to address this vulnerability. No specific patch version has been confirmed in the available references for CVE-2019-15849; therefore, users should check the vendor's update channel regularly. A workaround is to ensure that CCU3 is not exposed to untrusted networks and to instruct users not to click untrusted links containing session IDs [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- eQ-3/HomeMatic CCU3 firmwaredescription
- Range: =3.41.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- noskill1337.github.io/homematic-ccu3-session-fixationmitrex_refsource_MISC
- www.eq-3.com/products/homematic.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.