CVE-2018-7297

Remote Code Execution in the TCL script interpreter in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to obtain read/write access and execute system commands on the device. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 97%
VendorProductVersion
eq-3homematic_central_control_unit_ccu2_firmware
𝑥
≤ 2.29.22
𝑥
= Vulnerable software versions
References
http://atomic111.github.io/article/homematic-ccu2-remote-code-execution
https://www.exploit-db.com/exploits/44368/
http://atomic111.github.io/article/homematic-ccu2-remote-code-execution
https://www.exploit-db.com/exploits/44368/