CVE-2018-7300

CRITICAL

Homematic CCU2 Firmware < 2.29.22 - Unauthenticated Path Traversal and Arbitrary File Write via User.setLanguage Method

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-7300. PoCs published by Patrick Muench and Gregor Kopf.

AI-analyzed exploit summary This exploit leverages a directory traversal vulnerability in Homematic CCU2's API to arbitrarily write files on the system. It sends a crafted JSON payload to the `/api/homematic.cgi` endpoint, allowing an attacker to write arbitrary content to any file path via the `User.setLanguage` method.

Description

Directory Traversal / Arbitrary File Write / Remote Code Execution in the User.setLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to write arbitrary files to the device's filesystem. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.

Exploits (1)

exploitdb WORKING POC
by Patrick Muench and Gregor Kopf · rubywebappscgi
https://www.exploit-db.com/exploits/44361

This exploit leverages a directory traversal vulnerability in Homematic CCU2's API to arbitrarily write files on the system. It sends a crafted JSON payload to the `/api/homematic.cgi` endpoint, allowing an attacker to write arbitrary content to any file path via the `User.setLanguage` method.

Classification
Working Poc 100%
Attack Type
Other
Complexity
Trivial
Reliability
Reliable
Target: Homematic CCU2 version 2.29.23
No auth needed
Prerequisites: Network access to the Homematic CCU2 API endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Third Party Advisory x_refsource_misc
http://atomic111.github.io/article/homematic-ccu2-filewrite
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44361/

Scores

CVSS v3 9.8
EPSS 0.1240
EPSS Percentile 94.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-22
Status published
Products (1)
eq-3/homematic_ccu2_firmware < 2.29.22
Published Feb 22, 2018
Tracked Since Feb 18, 2026