CVE-2018-7297

CRITICAL EXPLOITED IN THE WILD

Eq-3 Homematic Central Control Unit C... - Remote Code Execution

Title source: rule

Description

Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.

Exploits (1)

exploitdb WORKING POC

by Patrick Muench and Gregor Kopf · rubywebappscgi

https://www.exploit-db.com/exploits/44368

View Code ZIP pw:eip

References (2)

[Third Party Advisory] http://atomic111.github.io/article/homematic-ccu2-remote-code-execution

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/44368/

Scores

CVSS v3 9.8

EPSS 0.5930

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2019-06-12

InTheWild.io 2019-12-13

Status published

Products (1)

eq-3/homematic_central_control_unit_ccu2_firmware < 2.29.22

Published Feb 22, 2018

Tracked Since Feb 18, 2026