Описание
eQ-3 Homematic Central Control Unit (CCU)2 through 2.51.6 and CCU3 through 3.51.6 allow Remote Code Execution in the JSON API Method ReGa.runScript, by unauthenticated attackers with access to the web interface, due to the default auto-login feature being enabled during first-time setup (or factory reset).
Ссылки
- ExploitThird Party Advisory
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 2.51.6 (включая)
Одновременно
cpe:2.3:o:eq-3:homematic_ccu2_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:eq-3:homematic_ccu2:-:*:*:*:*:*:*:*
Конфигурация 2Версия до 3.51.6 (включая)
Одновременно
cpe:2.3:o:eq-3:ccu3_firmware:*:*:*:*:*:*:*:*
cpe:2.3:h:eq-3:homematic_ccu3:-:*:*:*:*:*:*:*
EPSS
Процентиль: 98%
0.45806
Средний
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-276
Связанные уязвимости
github
больше 3 лет назад
eQ-3 Homematic Central Control Unit (CCU)2 through 2.51.6 and CCU3 through 3.51.6 allow Remote Code Execution in the JSON API Method ReGa.runScript, by unauthenticated attackers with access to the web interface, due to the default auto-login feature being enabled during first-time setup (or factory reset).
EPSS
Процентиль: 98%
0.45806
Средний
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
CWE-276