CVE-2019-9727

Vulnerability

The Homematic CCU3 (version 3.43.15 and earlier) exposes a JSON-RPC API that includes the User.getUserPWD method. Due to a misconfiguration in the access control level (LEVEL NONE), this method is accessible without any authentication [1]. An unauthenticated attacker can call this method to retrieve the password hashes of all GUI user accounts.

Exploitation

An attacker with network access to the CCU3 web interface can send a crafted JSON-RPC request to the User.getUserPWD method, specifying a valid userID. The method returns the corresponding password hash without requiring any session or credentials [1]. No user interaction or prior authentication is needed.

Impact

Successful exploitation results in the disclosure of password hashes for all GUI users. These hashes can be subjected to offline brute-force or dictionary attacks to recover plaintext passwords. An attacker who obtains valid credentials can then log into the CCU3 web interface and potentially control the home automation system, leading to unauthorized access and manipulation of connected devices [1].

Mitigation

eQ-3 AG released a security update for Homematic CCU3 after responsible disclosure [1]. Users should upgrade to the latest firmware version to remediate this vulnerability. No workarounds are documented; updating is the only recommended mitigation.