CVE-2019-18937
Description
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Parser AddOn through 1.8 installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi script, which executes TCL script content from an HTTP POST request.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated RCE via ScriptParser AddOn on eQ-3 Homematic CCU2/CCU3 by sending TCL script content to exec.cgi.
Vulnerability
CVE-2019-18937 affects eQ-3 Homematic CCU2 firmware 2.47.20 and CCU3 firmware 3.47.18 when the ScriptParser AddOn version 1.8 or prior is installed. The vulnerability resides in the exec.cgi script located at /addons/script/exec.cgi. This script executes arbitrary TCL script content received via an HTTP POST request, without performing any authentication or access control checks. The AddOn developer acknowledged this design choice, stating the parser is not password-protected and does not operate on a session basis [1].
Exploitation
An unauthenticated attacker who can reach the Homematic CCU's web interface (port 80) can send a crafted HTTP POST request to /addons/script/exec.cgi containing arbitrary TCL code in the POST body. No prior authentication, user interaction, or special network position beyond network access is required. The TCL code is executed by the underlying system with the privileges of the web server process [1].
Impact
Successful exploitation allows an attacker to achieve remote code execution on the affected Homematic CCU device. The CVSSv3 base score is 10.0, with the vector AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating the vulnerability is network-exploitable, requires no privileges or user interaction, and has a scope change leading to full compromise of confidentiality, integrity, and availability [1]. The attacker can execute arbitrary commands, install malware, modify system configurations, or disrupt the smart home control functionality.
Mitigation
The ScriptParser AddOn developer released version 1.9 on 03.11.2020 which addresses the vulnerability [1]. Affected users should update the ScriptParser AddOn to version 1.9 or later on their CCU2 or CCU3 devices. The vendor eQ-3 stated they are not responsible for AddOn security, so no official firmware patch is provided. For installations where the AddOn is not required, removing the ScriptParser AddOn entirely is an effective workaround. As of the publication date, this vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- eQ-3/Homematic CCU2/CCU3description
- Range: <=1.8
- Range: =2.47.20
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- psytester.github.io/CVE-2019-18937/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.