In /usr/local/etc/config/addons/mh/ on eQ-3 AG HomeMatic CCU2 2.29.22 devices, software update packages are downloaded via the HTTP protocol, which does not provide any cryptographic protection of the downloaded contents. An attacker with a privileged network position (which could be obtained via DNS spoofing of or other approaches) can exploit this issue in order to provide arbitrary malicious firmware updates to the CCU2. This can result in a full system compromise.

cve-icon MITRE


Assigner: mitre


Updated: 2024-08-05T06:24:11.812Z

Reserved: 2018-02-21T00:00:00

Link: CVE-2018-7298

cve-icon Vulnrichment

cve-icon NVD

Status : Modified

Published: 2018-02-22T19:29:05.140

Modified: 2024-11-21T04:11:57.600

Link: CVE-2018-7298

cve-icon Redhat

