Vulnerabilities (CVE)

Filtered by vendor Eq-3 Subscribe

Filtered by product Homematic Central Control Unit Ccu2

CVSS v3 Filter

ALL

NONE (0.0) LOW (0.1 - 3.9) MEDIUM (4.0 - 6.9) HIGH (7.0 - 8.9) CRITICAL (9.0 - 10.0)

Search

Total 2 CVE

CVE	Vendors	Products	Updated	CVSS v2	CVSS v3
CVE-2018-7298	1 Eq-3	2 Homematic Central Control Unit Ccu2, Homematic Central Control Unit Ccu2 Firmware	2019-10-03	9.3 HIGH	8.1 HIGH
In /usr/local/etc/config/addons/mh/loopupd.sh on eQ-3 AG HomeMatic CCU2 2.29.22 devices, software update packages are downloaded via the HTTP protocol, which does not provide any cryptographic protection of the downloaded contents. An attacker with a privileged network position (which could be obtained via DNS spoofing of www.meine-homematic.de or other approaches) can exploit this issue in order to provide arbitrary malicious firmware updates to the CCU2. This can result in a full system compromise.
CVE-2018-7299	1 Eq-3	2 Homematic Central Control Unit Ccu2, Homematic Central Control Unit Ccu2 Firmware	2019-10-03	5.2 MEDIUM	8.0 HIGH
Remote Code Execution in the addon installation process in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows authenticated attackers to create or overwrite arbitrary files or install malicious software on the device.