CVE-2019-10119
First published: Wed Jul 10 2019(Updated: )
eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.16 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via an invalid login attempt to the RemoteApi account, aka HMCCU-154. This leads to automatic login as admin.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Eq-3 Ccu3 Firmware | <3.43.16 | |
| Eq-3 Ccu3 | ||
| Eq-3 Ccu2 Firmware | <2.41.8 | |
| Eq-3 Ccu2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2019-10119.
What is the severity of CVE-2019-10119?
The severity of CVE-2019-10119 is critical with a severity value of 9.8.
How does the vulnerability CVE-2019-10119 affect eQ-3 HomeMatic CCU2 devices?
The vulnerability CVE-2019-10119 affects eQ-3 HomeMatic CCU2 devices before version 2.41.8.
How does the vulnerability CVE-2019-10119 affect eQ-3 HomeMatic CCU3 devices?
The vulnerability CVE-2019-10119 affects eQ-3 HomeMatic CCU3 devices before version 3.43.16.
How can an attacker exploit CVE-2019-10119?
An attacker can obtain a session ID via an invalid login attempt to the RemoteApi account, leading to automatic login as admin.