CVE-2019-16199
Description
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated attackers can execute arbitrary code on Homematic CCU2/CCU3 via crafted HTTP POST requests to the ReGa core process.
Vulnerability
An improper access control vulnerability (CWE-284) exists in eQ-3 Homematic CCU2 before firmware version 2.47.18 and CCU3 before firmware version 3.47.18 [1]. The flaw resides in the ReGa core process, which handles web interface requests. An unauthenticated attacker with network access to the web interface can send a specially crafted HTTP POST request to certain URLs associated with the ReGa process, leading to remote code execution. The vendor has confirmed the issue and released patches in versions 2.47.18 for CCU2 and 3.47.18 for CCU3 [1].
Exploitation
An attacker does not require any authentication or prior access to the system. The only requirement is network connectivity to the Homematic CCU2 or CCU3 web interface on the default HTTP port. By sending a malicious HTTP POST request to specific URLs handled by the ReGa core process, the attacker can trigger arbitrary command execution. The public advisory does not detail the exact request parameters, but it confirms that unauthenticated POST requests to the ReGa process are sufficient to achieve code execution [1].
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary code with the privileges of the ReGa process, which likely runs with high system rights. This results in complete compromise of the confidentiality, integrity, and availability of the device (CVSSv3 base score 10.0). The impacted versions span multiple firmware releases for both CCU2 and CCU3, including 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15 for CCU2, and 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15 for CCU3 [1].
Mitigation
Users should update their Homematic CCU2 to firmware version 2.47.18 or later, and CCU3 to version 3.47.18 or later, which contain the fix for this vulnerability [1]. The vendor released these patches in September 2019. No workarounds have been publicly documented; restricting network access to the web interface (e.g., by placing it behind a firewall or VPN) can reduce the attack surface but is not a complete mitigation. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- eQ-3 Homematic/CCU2description
- Range: <2.47.18
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1- psytester.github.io/CVE-2019-16199/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.