HMCCU-153: Unauthenticated Session Hijacking and Admin Access in eQ-3 HomeMatic CCU2 and CCU3 Devices

HMCCU-153: Unauthenticated Session Hijacking and Admin Access in eQ-3 HomeMatic CCU2 and CCU3 Devices

CVE-2019-10121 · HIGH Severity

AV:N/AC:L/AU:N/C:P/I:P/A:P

eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.15 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via the user authentication dialogue, aka HMCCU-153. This leads to automatic login as admin.

Learn more about our User Device Pen Test.