CVE-2019-9584

Vulnerability

The CloudMatic AddOn for Homematic CCU2 and CCU3 suffers from improper access control (CWE-284) on all /addons/mh/ pages [1][2]. This allows unauthenticated remote attackers to access administrative functions without authentication. Affected firmware versions for CCU2 include 2.35.16 through 2.49.17, and for CCU3 include 3.41.11 through 3.49.17 [1][2].

Exploitation

An attacker can send HTTP requests to the /addons/mh/ endpoints without any authentication or prior knowledge. No user interaction or special network position is required; the vulnerability is exploitable over the network [1][2]. The CVSS vector indicates network access, low complexity, and no privileges required [2].

Impact

Successful exploitation allows an attacker to obtain VPN profile details, shut down the VPN service, and delete the VPN service configuration [1][2]. This compromises confidentiality (VPN credentials), integrity (service disruption), and availability (loss of VPN connectivity). The CVSS base score is 9.8 (Critical) [2].

Mitigation

The vendor EASY SmartHome GmbH provided a hotpatch via GitHub commit #76274aa, and a full fix for CCU3 is included in firmware version 3.53.26 released on 18 August 2020 [1][2]. For CCU2, no official patch is available; users are advised to disable or remove the CloudMatic AddOn if possible [1][2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.