cbcvebase.
CVE-2019-7254
published 2019-07-02

CVE-2019-7254: Linear eMerge E3-Series devices allow File Inclusion.

PriorityP181high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.04%
99.6th percentile
Linear eMerge E3-Series devices allow File Inclusion.

Affected

2 ranges
VendorProductVersion rangeFixed in
nortekcontrollinear_emerge_elite_firmware<= 1.00-06
nortekcontrollinear_emerge_essential_firmware<= 1.00-06

Detection & IOCsextracted from sources · hover to see the quote

url/?c=../../../../../../etc/passwd%00
url/badging/badge_print_v0.php?tpl=../../../../../etc/passwd
url/badging/badge_template_print.php?tpl=../../../../../etc/version
url/badging/badge_template_v0.php?layout=../../../../../../../etc/issue
url/?c=webuser&m=update
url/?c=webuser&m=select&p=&f=&w=&v=1
path/badging/badge_print_v0.php
path/badging/badge_template_print.php
path/badging/badge_template_v0.php
  • Detect unauthenticated LFI via the `c` parameter using null-byte termination (%00) in GET requests to the root path of eMerge E3 devices.
  • Detect LFI attempts via the `tpl` parameter in badge_print_v0.php and badge_template_print.php, and via the `layout` parameter in badge_template_v0.php.
  • Shodan/FOFA fingerprint for exposed eMerge E3 devices: search for HTTP title containing 'emerge'.
  • Privilege escalation abuse: unauthenticated or low-privilege POST to /?c=webuser&m=update with UserRole=1 to elevate account privileges.
  • Successful LFI exploitation can be confirmed by matching the regex `root:.*:0:0:` in HTTP 200 responses from the device.
  • ·The null-byte termination (%00) in the `c` parameter traversal path is specific to version 1.00-06 and may not work on patched or newer firmware versions.
  • ·The exploit was tested on firmware version 1.00-06 only; behavior on other versions is unconfirmed.
  • ·The privilege escalation PoC (CVE-2019-7259) reuses the same session cookie format; detections relying solely on PHPSESSID may produce false positives for legitimate sessions.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.