CVE-2019-18938

CRITICAL

eQ-3 Homematic CCU2/CCU3 <2.47.20/<3.47.18 - Remote Code Execution

Title source: manual

Description

eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn through 1.6.8.c installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the save.cgi script for payload upload and the testtcl.cgi script for its execution.

References (1)

Core 1

Core References

Exploit, Third Party Advisory x_refsource_misc

https://psytester.github.io/CVE-2019-18938/

Scores

CVSS v3 9.8

EPSS 0.3384

EPSS Percentile 98.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-306

Status published

Products (16)

eq-3/homematic_ccu2_firmware 2.24.20

eq-3/homematic_ccu3_firmware 3.47.18

hm_email_project/hm_email 1.6.8c

hm_email_project/hm_email 1.6.8b

hm_email_project/hm_email 1.6.8a

hm_email_project/hm_email 1.6.7c

hm_email_project/hm_email 1.6.7b

hm_email_project/hm_email 1.6.7a

hm_email_project/hm_email 1.6.7

hm_email_project/hm_email 1.6.6

... and 6 more

Published Nov 14, 2019

Tracked Since Feb 18, 2026