CVE: CVE-2018-7298
Published: 2018-02-22T19:29Z
Description Language: en
Description: In /usr/local/etc/config/addons/mh/ on eQ-3 AG HomeMatic CCU2 2.29.22 devices, software update packages are downloaded via the HTTP protocol, which does not provide any cryptographic protection of the downloaded contents. An attacker with a privileged network position (which could be obtained via DNS spoofing of or other approaches) can exploit this issue in order to provide arbitrary malicious firmware updates to the CCU2. This can result in a full system compromise.