eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request.

Published : 2019-08-13 20:15 Updated : 2019-08-21 19:16

CVSS Score More info
Score 6.8 / 10
Vendor Product Version URI
Eq-3 Homematic Ccu2 Firmware 1.2.0 cpe:/o:eq-3:homematic_ccu2_firmware:1.2.0
Eq-3 Homematic Ccu3 Firmware 1.2.0 cpe:/o:eq-3:homematic_ccu3_firmware:1.2.0
  1. Eq-3 (2) Search CVE
    1. Homematic Ccu2 Firmware (1) Search CVE
      1. 1.2.0
    2. Homematic Ccu3 Firmware (1) Search CVE
      1. 1.2.0


ID Name Description Links
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. CVE


History of changes

Date Event
2019-08-21 19:16
2019-08-13 20:15