Vulnerability Description
eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via an invalid login attempt to the RemoteApi account, aka HMCCU-154. This leads to automatic login as admin.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eq-3 | Ccu3 Firmware | < 3.43.16 |
| Eq-3 | Ccu3 | - |
| Eq-3 | Ccu2 Firmware | < 2.41.8 |
| Eq-3 | Ccu2 | - |
Related Weaknesses (CWE)
References
- https://www.eq-3.de/Downloads/Software/CCU3-Firmware/CCU3-3.43.16/CCU3-ChangelogRelease NotesVendor Advisory
- https://www.eq-3.de/Downloads/Software/HM-CCU2-Firmware_Updates/HM-CCU-2.41.9/HMRelease NotesVendor Advisory
- https://www.eq-3.de/Downloads/Software/CCU3-Firmware/CCU3-3.43.16/CCU3-ChangelogRelease NotesVendor Advisory
- https://www.eq-3.de/Downloads/Software/HM-CCU2-Firmware_Updates/HM-CCU-2.41.9/HMRelease NotesVendor Advisory
FAQ
What is CVE-2019-10119?
CVE-2019-10119 is a vulnerability with a CVSS score of 9.8 (CRITICAL). eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via an invalid login att...
How severe is CVE-2019-10119?
CVE-2019-10119 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-10119?
Check the references section above for vendor advisories and patch information. Affected products include: Eq-3 Ccu3 Firmware, Eq-3 Ccu3, Eq-3 Ccu2 Firmware, Eq-3 Ccu2.