eQ-3 Homematic CCU2
Approved changes feed: RSS · Atom
cpe:2.3:h:eq-3:homematic_ccu2:-:*:*:*:*:*:*:*
part: h version: - update: *
| Vendor | Eq 3 (11715dba-e07d-5393-bfe8-7d5685450e28) |
|---|---|
| Product | Homematic Ccu2 (d0b3ede0-00dc-55d5-8973-2ecfa08937f0) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2021-33032 |
not_vulnerable | 2026-06-08 05:32:08.537856 |
Details available
A Remote Code Execution (RCE) vulnerability in the WebUI component of the eQ-3 HomeMatic CCU2 firmware up to and including version 2.57.5 and CCU3 firmware up to and including version 3.57.5 allows remote unauthenticated attackers to execute system commands as root via a simple HTTP request.
Published: 2021-07-22T17:45:35.000Z
Updated: 2024-08-03T23:42:19.135Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-12834 |
not_vulnerable | 2026-06-08 05:17:59.433875 |
Details available
eQ-3 Homematic Central Control Unit (CCU)2 through 2.51.6 and CCU3 through 3.51.6 allow Remote Code Execution in the JSON API Method ReGa.runScript, by unauthenticated attackers with access to the web interface, due to the default auto-login feature being enabled during first-time setup (or factory reset).
Published: 2020-05-15T16:14:49.000Z
Updated: 2024-08-04T12:04:22.903Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9585 |
not_vulnerable | 2026-06-08 05:14:25.772369 |
Details available
eQ-3 Homematic CCU2 prior to 2.47.10 and CCU3 prior to 3.47.10 JSON API has Improper Access Control for Interface.***Metadata related operations, resulting in the ability to read, set and deletion of Metadata.
Published: 2019-08-14T20:10:17.000Z
Updated: 2024-08-04T21:54:44.538Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9584 |
not_vulnerable | 2026-06-08 05:14:25.770218 |
Details available
eQ-3 Homematic AddOn 'CloudMatic' on CCU2 and CCU3 allows uncontrolled admin access, resulting in the ability to obtain VPN profile details, shutting down the VPN service and to delete the VPN service configuration. This is related to improper access control for all /addons/mh/ pages.
Published: 2019-08-14T20:03:06.000Z
Updated: 2024-08-04T21:54:44.866Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9583 |
not_vulnerable | 2026-06-08 05:14:25.766311 |
Details available
eQ-3 Homematic CCU2 and CCU3 obtain session IDs without login. This allows a Denial of Service and is a starting point for other attacks. Affected versions for CCU2: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15. Affected versions for CCU3: 3.41.11, 3.43.16, 3.45.5, 3.45.7, 3.47.10, 3.47.15.
Published: 2019-08-14T19:47:54.000Z
Updated: 2024-08-04T21:54:44.498Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-9582 |
not_vulnerable | 2026-06-08 05:14:25.760206 |
Details available
eQ-3 Homematic CCU2 outdated base software packages allows Denial of Service. CCU2 affected versions: 2.35.16, 2.41.5, 2.41.8, 2.41.9, 2.45.6, 2.45.7, 2.47.10, 2.47.12, 2.47.15.
Published: 2019-08-14T19:57:14.000Z
Updated: 2024-08-04T21:54:45.068Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18939 |
not_vulnerable | 2026-06-08 05:13:21.235023 |
Details available
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the HM-Print AddOn through 1.2a installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi and exec1.cgi scripts, which execute TCL script content from an HTTP POST request.
Published: 2019-11-14T18:53:08.000Z
Updated: 2024-08-05T02:02:39.744Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18938 |
not_vulnerable | 2026-06-08 05:13:13.092900 |
Details available
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the E-Mail AddOn through 1.6.8.c installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the save.cgi script for payload upload and the testtcl.cgi script for its execution.
Published: 2019-11-14T18:52:33.000Z
Updated: 2024-08-05T02:02:39.909Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-18937 |
not_vulnerable | 2026-06-08 05:13:13.084408 |
Details available
eQ-3 Homematic CCU2 2.47.20 and CCU3 3.47.18 with the Script Parser AddOn through 1.8 installed allow Remote Code Execution by unauthenticated attackers with access to the web interface via the exec.cgi script, which executes TCL script content from an HTTP POST request.
Published: 2019-11-14T18:50:42.000Z
Updated: 2024-08-05T02:02:39.918Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-16199 |
not_vulnerable | 2026-06-08 05:13:07.884956 |
Details available
eQ-3 Homematic CCU2 before 2.47.18 and CCU3 before 3.47.18 allow Remote Code Execution by unauthenticated attackers with access to the web interface via an HTTP POST request to certain URLs related to the ReGa core process.
Published: 2019-09-17T20:53:22.000Z
Updated: 2024-08-05T01:10:41.532Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-14986 |
not_vulnerable | 2026-06-08 05:12:56.509004 |
Details available
eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn before 2.3.0 installed allow administrative operations by unauthenticated attackers with access to the web interface, because features such as File-Browser and Shell Command (as well as "Set root password") are exposed.
Published: 2019-08-13T19:19:44.000Z
Updated: 2024-08-05T00:34:53.132Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-14985 |
not_vulnerable | 2026-06-08 05:12:56.504680 |
Details available
eQ-3 Homematic CCU2 and CCU3 with the CUxD AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because this interface can access the CMD_EXEC virtual device type 28.
Published: 2019-08-13T19:17:52.000Z
Updated: 2024-08-05T00:34:52.995Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2019-14984 |
not_vulnerable | 2026-06-08 05:12:56.497142 |
Details available
eQ-3 Homematic CCU2 and CCU3 with the XML-API through 1.2.0 AddOn installed allow Remote Code Execution by unauthenticated attackers with access to the web interface, because the undocumented addons/xmlapi/exec.cgi script uses CMD_EXEC to execute TCL code from a POST request.
Published: 2019-08-13T19:15:17.000Z
Updated: 2024-08-05T00:34:52.992Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2018-7300 |
not_vulnerable | 2026-06-08 05:12:03.590006 |
Details available
Directory Traversal / Arbitrary File Write / Remote Code Execution in the User.setLanguage method in eQ-3 AG Homematic CCU2 2.29.2 and earlier allows remote attackers to write arbitrary files to the device's filesystem. This vulnerability can be exploited by unauthenticated attackers with access to the web interface.
Published: 2018-02-22T19:00:00.000Z
Updated: 2024-08-05T06:24:11.859Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.