CVE-2019-18939 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2019-18939?

CVE-2019-18939 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers to execute arbitrary code on eQ-3 Homematic CCU2 and CCU3 home automation controllers with the HM-Print AddOn installed. Attackers can send specially crafted HTTP POST requests to exec.cgi and exec1.cgi scripts to run TCL commands, potentially taking full control of affected devices. This affects all systems running vulnerable versions with the HM-Print AddOn enabled.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary code on eQ-3 Homematic CCU2 and CCU3 home automation controllers with the HM-Print AddOn installed. Attackers can send specially crafted HTTP POST requests to exec.cgi and exec1.cgi scripts to run TCL commands, potentially taking full control of affected devices. This affects all systems running vulnerable versions with the HM-Print AddOn enabled.

💻 Affected Systems

Products:

eQ-3 Homematic CCU2
eQ-3 Homematic CCU3
HM-Print AddOn

Versions: CCU2 2.47.20 and earlier, CCU3 3.47.18 and earlier, HM-Print AddOn through 1.2a

Operating Systems: Linux-based embedded OS on CCU devices

Default Config Vulnerable: ⚠️ Yes

Notes: Requires HM-Print AddOn to be installed. The vulnerable scripts are part of this addon, not the base CCU firmware.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to internal networks, or use devices as botnet nodes.

🟠

Likely Case

Remote code execution leading to device takeover, data theft, and potential lateral movement within home or building automation networks.

🟢

If Mitigated

Limited impact if devices are isolated from internet and internal networks, with strict access controls preventing unauthorized access.

🌐 Internet-Facing: HIGH - Devices exposed to the internet are directly exploitable by any attacker without authentication.

🏢 Internal Only: HIGH - Even internally, any user or compromised device on the network can exploit this without credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial with publicly available proof-of-concept code. Attackers only need network access to the web interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HM-Print AddOn version after 1.2a

Vendor Advisory: https://www.eq-3.com/

Restart Required: Yes

Instructions:

1. Update HM-Print AddOn to latest version. 2. Remove or disable HM-Print AddOn if not needed. 3. Consider updating CCU firmware to latest version. 4. Restart the CCU device after updates.

🔧 Temporary Workarounds

Disable HM-Print AddOn

all

Remove or disable the vulnerable HM-Print AddOn component

Access CCU web interface -> AddOns -> HM-Print -> Uninstall/Disable

Network Access Control

linux

Restrict access to CCU web interface using firewall rules

iptables -A INPUT -p tcp --dport 80 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP

🧯 If You Can't Patch

Isolate CCU devices on separate VLAN with no internet access
Implement strict firewall rules blocking all external access to CCU web interface

🔍 How to Verify

Check if Vulnerable:

Check if HM-Print AddOn is installed via CCU web interface AddOns section. If version is 1.2a or earlier, device is vulnerable.

Check Version:

Check via CCU web interface: System Control -> Version Information

Verify Fix Applied:

Verify HM-Print AddOn is updated to version after 1.2a or completely removed. Test by attempting to access /addons/hm-print/exec.cgi - should return 404 or access denied.

📡 Detection & Monitoring

Log Indicators:

HTTP POST requests to /addons/hm-print/exec.cgi or /addons/hm-print/exec1.cgi
Unusual TCL command execution in system logs
Failed authentication attempts followed by successful exec.cgi access

Network Indicators:

HTTP POST requests with TCL code in body to CCU web interface
Unusual outbound connections from CCU devices
Traffic to/from CCU on port 80/tcp from unexpected sources

SIEM Query:

source="ccu_logs" AND (uri="/addons/hm-print/exec.cgi" OR uri="/addons/hm-print/exec1.cgi") AND method="POST"

📊 Metadata

CVE ID: CVE-2019-18939

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-306

Published: November 14, 2019

Last Updated: November 21, 2024

🔗 References

https://psytester.github.io/CVE-2019-18939/ Exploit,Third Party Advisory
https://psytester.github.io/CVE-2019-18939/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-18939, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Hm Print by Hm Print Project

Hm Print by Hm Print Project

Hm Print by Hm Print Project

Hm Print by Hm Print Project

Homematic Ccu2 Firmware by Eq 3

Homematic Ccu2 Firmware by Eq 3

Homematic Ccu3 Firmware by Eq 3

Homematic Ccu3 Firmware by Eq 3

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable HM-Print AddOn

Network Access Control

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities