CVE-2019-15850
Description
eQ-3 HomeMatic CCU3 firmware version 3.41.11 allows Remote Code Execution in the ReGa.runScript method. An authenticated attacker can easily execute code and compromise the system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated remote code execution in HomeMatic CCU3 firmware 3.41.11 via the ReGa.runScript method of the WebUI.
Vulnerability
An authenticated remote code execution vulnerability exists in eQ-3 HomeMatic CCU3 firmware version 3.41.11. The flaw resides in the ReGa.runScript method of the WebUI accessible via the /api/homematic.cgi endpoint. An attacker with valid credentials to the web interface can send a crafted JSON payload containing arbitrary script commands, which are then executed by the underlying system without proper sanitization [2]. All devices running firmware version 3.41.11 are affected [2].
Exploitation
An attacker must have valid authentication credentials for the CCU3 WebUI. After logging in, the attacker crafts a POST request to /api/homematic.cgi with a JSON body containing the ReGa.runScript method and a malicious script parameter. No additional user interaction is required beyond the authenticated session [2]. The following is an example of the HTTP request structure:
POST /api/homematic.cgi HTTP/1.1
Host: 192.168.0.125
Content-Type: application/json
...
{"version": "1.1", "method": "ReGa.runScript", "params": {"script": "string stdout;string stde..."}}
The request is processed directly, leading to execution of the supplied script on the host system [2].
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands with the privileges of the web service. This results in full compromise of the CCU3 device, including unauthorized access to sensitive data, manipulation of the home automation system, and potential use as a pivot point for further network attacks [2]. The CIA impact is complete: the attacker can read, modify, or delete any data accessible to the system, and can disrupt or control connected smart home devices [2].
Mitigation
As of the advisory publication date (2019-10-17), no patch was available for version 3.41.11. Users are advised to monitor vendor updates from eQ-3 [1]. The vendor subsequently announced continued security updates for Homematic CCU3 for at least ten years from 2023 [1]. However, no specific fixed version was disclosed in available references [1][2]. Workarounds include restricting network access to the WebUI to trusted administrators only and ensuring strong authentication credentials are used [2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- eQ-3/HomeMatic CCU3 firmwaredescription
- Range: = 3.41.11
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- noskill1337.github.io/homematic-ccu3-remote-code-executionmitrex_refsource_MISC
- www.eq-3.com/products/homematic.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.