CVE-2019-9726

Vulnerability

A directory traversal vulnerability exists in the web interface of eQ-3 AG Homematic CCU3 firmware versions 3.43.15 and earlier. The flaw is due to erroneous handling of null bytes in URL paths, allowing an attacker to inject .%00./ sequences to bypass access controls. For example, the URLs /.%00./.%00./tmp/event/subscriber.list and /.%00./.%00./etc/shadow are confirmed to permit arbitrary file reads [1]. No authentication is required, and the vulnerability is reachable via the device's browser-based WebUI.

Exploitation

An unauthenticated attacker with network access to the Homematic CCU3 web interface can exploit this by sending crafted HTTP GET requests containing directory traversal sequences with embedded null bytes. Proof-of-concept requests include GET /.%00./.%00./etc/shadow HTTP/1.1 [1]. The attacker does not require any special privileges or user interaction; the vulnerability is triggered directly by the web server parsing the malformed URL.

Impact

Successful exploitation allows an unauthenticated remote attacker to read arbitrary files from the CCU3's filesystem. This can lead to disclosure of sensitive information such as password hashes (e.g., /etc/shadow) and configuration files (e.g., /tmp/event/subscriber.list). The confidentiality of the device and potentially the entire home automation network is compromised. No code execution is reported, but leaked credentials could enable further attacks.

## Mitigation eQ-3 AG has not released a public fix as of the advisory publication date (2019-05-13). Users are advised to restrict network access to the CCU3's web interface (e.g., via firewall rules, VPN, or disabling remote access) to prevent exposure to unauthenticated attackers. The affected versions are prior to 3.43.16; if an update becomes available, upgrading is recommended. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.