CVE-2019-9585

Vulnerability

CVE-2019-9585 is an improper access control vulnerability (CWE-284) in the JSON API of eQ-3 Homematic CCU2 and CCU3 central control units. The API fails to enforce authentication or authorization for interface metadata operations (e.g., Interface.*Metadata), allowing any unauthenticated network attacker to interact with metadata endpoints. The vulnerability affects CCU2 firmware versions up to 2.47.10 (including 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7 tested) and CCU3 firmware versions up to 3.47.10 (including 3.41.11, 3.43.16, 3.45.5, 3.45.7 tested) [1][2].

Exploitation

An attacker can exploit this vulnerability by sending crafted HTTP requests to the JSON API endpoint of a reachable CCU2 or CCU3 device. No authentication, user interaction, or prior access is required. By manipulating the request parameters for metadata-related operations, the attacker is able to perform read, create, modify, and delete actions on metadata objects [1][2].

Impact

Successful exploitation allows an attacker to read arbitrary metadata stored on the device (low confidentiality impact), and more critically to create, modify, or delete metadata (high integrity impact). According to the CVSS vector (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L), an attacker can change metadata values, potentially altering device behavior or configuration, and also cause limited availability impact. The attack has a changed scope, meaning the compromised component affects resources beyond its original authorization boundary [1][2].

Mitigation

The vendor eQ-3 AG released fixes in CCU2 firmware version 2.47.10 and CCU3 firmware version 3.47.10, identified by internal reference [HMCCU-261] in the product changelogs [1][2]. Users should update to these patched versions immediately. As of publication, no workaround is documented, and there is no indication that this CVE has been added to the CISA KEV list.