Vulnerability Description
eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Eq-3 | Homematic Ccu2 Firmware | <= 2.47.15 |
| Eq-3 | Homematic Ccu2 | - |
| Eq-3 | Homematic Ccu3 Firmware | <= 3.47.15 |
| Eq-3 | Homematic Ccu3 | - |
Related Weaknesses (CWE)
References
- https://github.com/psytester/psytester.github.io/blob/master/_posts/hacking_and_ExploitThird Party Advisory
- https://psytester.github.io/CVE-2019-9584/ExploitThird Party Advisory
- https://github.com/psytester/psytester.github.io/blob/master/_posts/hacking_and_ExploitThird Party Advisory
- https://psytester.github.io/CVE-2019-9584/ExploitThird Party Advisory
FAQ
What is CVE-2019-9584?
CVE-2019-9584 is a vulnerability with a CVSS score of 9.8 (CRITICAL). eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service...
How severe is CVE-2019-9584?
CVE-2019-9584 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-9584?
Check the references section above for vendor advisories and patch information. Affected products include: Eq-3 Homematic Ccu2 Firmware, Eq-3 Homematic Ccu2, Eq-3 Homematic Ccu3 Firmware, Eq-3 Homematic Ccu3.