CVE-2019-18937
📋 TL;DR
This vulnerability allows unauthenticated remote attackers to execute arbitrary code on eQ-3 Homematic CCU2 and CCU3 home automation controllers. Attackers with access to the web interface can send specially crafted HTTP POST requests to execute TCL scripts, leading to complete system compromise. All systems running affected versions with the Script Parser AddOn are vulnerable.
💻 Affected Systems
- eQ-3 Homematic CCU2
- eQ-3 Homematic CCU3
📦 What is this software?
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
Scriptparser by Scriptparser Project
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover, installation of persistent backdoors, lateral movement to other network devices, and potential physical safety risks if home automation controls are manipulated.
Likely Case
Remote code execution leading to data theft, cryptocurrency mining, botnet enrollment, or ransomware deployment on vulnerable home automation systems.
If Mitigated
Limited impact if systems are behind firewalls with strict network segmentation and web interface access is restricted to trusted networks only.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. Attackers only need network access to the web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Script Parser AddOn version after 1.8
Vendor Advisory: https://www.eq-3.com/products/homematic.html
Restart Required: Yes
Instructions:
1. Update Script Parser AddOn to latest version. 2. Remove or disable exec.cgi script if not needed. 3. Restart the CCU device. 4. Verify the fix by checking AddOn version.
🔧 Temporary Workarounds
Network Access Restriction
linuxBlock external access to CCU web interface using firewall rules
iptables -A INPUT -p tcp --dport 80 -s ! TRUSTED_NETWORK -j DROP
iptables -A INPUT -p tcp --dport 443 -s ! TRUSTED_NETWORK -j DROP
Disable Script Parser AddOn
linuxRemove or disable the vulnerable Script Parser AddOn component
rm /usr/local/addons/scriptparser/exec.cgi
chmod 000 /usr/local/addons/scriptparser/exec.cgi
🧯 If You Can't Patch
- Isolate vulnerable systems in a separate VLAN with strict network segmentation
- Implement web application firewall (WAF) rules to block requests to exec.cgi
🔍 How to Verify
Check if Vulnerable:
Check if /usr/local/addons/scriptparser/exec.cgi exists and Script Parser AddOn version is ≤1.8Check Version:
cat /usr/local/addons/scriptparser/version.txt || echo 'Not installed'Verify Fix Applied:
Verify exec.cgi is removed/disabled and Script Parser AddOn version is >1.8📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /addons/scriptparser/exec.cgi
- Unusual TCL script execution in system logs
- Failed authentication attempts followed by exec.cgi access
Network Indicators:
- HTTP POST requests containing TCL commands to port 80/443
- Unusual outbound connections from CCU devices
SIEM Query:
source="web_access.log" AND uri="/addons/scriptparser/exec.cgi" AND method="POST"