HMCCU-153: Unauthenticated Session Hijacking and Admin Access in eQ-3 HomeMatic CCU2 and CCU3 Devices
CVE-2019-10121 · HIGH Severity
AV:N/AC:L/AU:N/C:P/I:P/A:P
eQ-3 HomeMatic CCU2 devices before 2.41.8 and CCU3 devices before 3.43.15 use session IDs for authentication but lack authorization checks. An attacker can obtain a session ID via the user authentication dialogue, aka HMCCU-153. This leads to automatic login as admin.
Learn more about our User Device Pen Test.