VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 14, 2019· Updated Aug 5, 2024

CVE-2019-18938

CVE-2019-18938

Description

eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn through 1.6.8.c installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the save.cgi script for payload upload and the testtcl.cgi script for its execution.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Unauthenticated remote code execution in eQ-3 Homematic CCU2/CCU3 E-Mail AddOn via save.cgi and testtcl.cgi scripts.

Vulnerability

The E-Mail AddOn version 1.6.8.c and prior for eQ-3 Homematic CCU2 firmware 2.47.20 and CCU3 firmware 3.47.18 contains an improper access control vulnerability (CWE-284) [1]. The save.cgi script allows unauthenticated file uploads, and the testtcl.cgi script executes uploaded Tcl scripts without authentication, enabling remote code execution.

Exploitation

An unauthenticated attacker with network access to the CCU web interface can upload a malicious Tcl script via save.cgi and then trigger its execution by calling testtcl.cgi [1]. No prior authentication or user interaction is required.

Impact

Successful exploitation yields remote code execution on the CCU device with the privileges of the web server process, typically root [1]. This allows full compromise of the smart home controller, including control of connected devices, data exfiltration, and potential lateral movement.

Mitigation

The E-Mail AddOn developer released version 1.7.0 on 2020-11-04, which addresses the vulnerability [1]. Users should update to 1.7.0 or later. The vendor eQ-3 stated they are not responsible for AddOn security [1]. No workaround is documented. This CVE is not listed on the CISA Known Exploited Vulnerabilities catalog.

References
  1. CVE-2019-18938 eQ-3 Homematic AddOn ‘E-Mail’ version 1.6.8.c and prior on CCU2 and CCU3 allows Remote Code Execution by unauthenticated attackers with access to the web interface by usage of the save.cgi script for payload upload and the testtcl.cgi script for its execution

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • eQ-3/Homematic CCU2/CCU3description
  • eQ-3 AG/Homematic CCU2llm-fuzzy
    Range: 2.47.20 (with E-Mail AddOn <=1.6.8.c)

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.