CVE-2019-7256
published 2019-07-02CVE-2019-7256: Linear eMerge E3-Series devices allow Command Injections.
PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-04-15
Exploited in the wild
EPSS
97.14%
99.9th percentile
Linear eMerge E3-Series devices allow Command Injections.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nortekcontrol | emerge_e3_firmware | <= 0.32-09c | — |
| nortekcontrol | linear_emerge_elite_firmware | <= 1.00-06 | — |
| nortekcontrol | linear_emerge_essential_firmware | <= 1.00-06 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; startswith; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029207; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, cve CVE_2019_7256, deployment Perimeter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; startswith; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029213; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_31, cve CVE_2019_7256, deployment Perimeter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
- →Detect HTTP requests targeting /card_scan_decoder.php with the 'No=' parameter — the primary injection point for CVE-2019-7256. Both inbound and outbound traffic should be monitored (ET SIDs 2029207 and 2029213).
- →Also monitor /card_scan.php with the ReaderNo parameter containing backtick-encoded shell command injection patterns (URL-encoded backticks %60).
- →Exploitation results in command execution as root; look for the presence of /etc/passwd content (regex: root:.*:0:0:) in HTTP responses from the device.
- →Shodan/FOFA/Google exposure queries can identify internet-facing eMerge E3 devices: search for title 'eMerge' or 'emerge'.
- →The exploit is unauthenticated — no session or credentials are required. Any HTTP GET to the vulnerable endpoints from external IPs should be treated as suspicious.
- →The exploit drops a temporary output file (test.txt) in the web root and retrieves it via a second GET request — look for sequential GET requests to /card_scan.php followed by GET /test.txt.
- ·The Nuclei template targets /card_scan.php, while the Metasploit module and Snort rules target /card_scan_decoder.php — both endpoints are vulnerable and should be covered in detection logic.
- ·Affected versions are 1.00-06 and below; the Metasploit module confirms this scope.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jw4j-j3xr-4wff: Nortek Linear eMerge E3-Series devices before 0
ghsa_unreviewed·2022-08-26·CVSS 9.8
CVE-2022-31499 [CRITICAL] CWE-78 GHSA-jw4j-j3xr-4wff: Nortek Linear eMerge E3-Series devices before 0
Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256.
GHSA
GHSA-24pq-phfq-785f: Linear eMerge E3-Series devices allow Command Injections
ghsa_unreviewed·2022-05-24
CVE-2019-7256 [CRITICAL] CWE-78 GHSA-24pq-phfq-785f: Linear eMerge E3-Series devices allow Command Injections
Linear eMerge E3-Series devices allow Command Injections.
VulnCheck
nortekcontrol emerge_e3_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
vulncheck·2022·CVSS 9.8
CVE-2022-31499 [CRITICAL] nortekcontrol emerge_e3_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
nortekcontrol emerge_e3_firmware Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256.
Affected: nortekcontrol emerge_e3_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://web.archive.org/web/20230318134256/https://unit42.paloaltonetworks.com/network-security-trends-aug-oct-2022/; https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/; https://app.crowdsec.net/cti/cve-explorer/CVE-2022-31499
VulnCheck
Nice Linear eMerge E3-Series OS Command Injection Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-7256 [CRITICAL] CWE-78 Nice Linear eMerge E3-Series OS Command Injection Vulnerability
Nice Linear eMerge E3-Series OS Command Injection Vulnerability
Nice Linear eMerge E3-Series contains an OS command injection vulnerability that allows an attacker to conduct remote code execution.
Affected: Nice Linear eMerge E3-Series
Required Action: Contact the vendor for guidance on remediating firmware, per their advisory.
Exploitation References: https://blog.sonicwall.com/en-us/2020/02/linear-emerge-e3-access-controller-actively-being-exploited/; https://blog.radware.com/security/botnets/2020/05/whos-viktor-tracking-down-the-xtc-polaris-botnets/; https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/honeypot-recon-enterprise-applications-honeypot-unveiling-findings-from-six-worldwide-locations/; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/
CISA
Nice Linear eMerge E3-Series OS Command Injection Vulnerability
cisa·2024-03-25·CVSS 9.8
CVE-2019-7256 [CRITICAL] CWE-78 Nice Linear eMerge E3-Series OS Command Injection Vulnerability
Vulnerability: Nice Linear eMerge E3-Series OS Command Injection Vulnerability
Affected: Nice Linear eMerge E3-Series
Nice Linear eMerge E3-Series contains an OS command injection vulnerability that allows an attacker to conduct remote code execution.
Required Action: Contact the vendor for guidance on remediating firmware, per their advisory.
Notes: https://linear-solutions.com/wp-content/uploads/E3-Bulletin-06-27-2023.pdf, https://www.cisa.gov/news-events/ics-advisories/icsa-24-065-01; https://nvd.nist.gov/vuln/detail/CVE-2019-7256
Remediation Due Date: 2024-04-15
CISA ICS
Nice Linear eMerge E3-Series
cisa_ics·2024-03-05·CVSS 9.8
[CRITICAL] Nice Linear eMerge E3-Series
ICS Advisory
##
Nice Linear eMerge E3-Series
Release DateMarch 05, 2024
Alert CodeICSA-24-065-01
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 10.0
- ATTENTION: Exploitable remotely/low attack complexity/public exploits are available
- Vendor: Nice
- Equipment: Linear eMerge E3-Series
- Vulnerabilities: Path traversal, Cross-site scripting, OS command injection, Unrestricted Upload of File with Dangerous Type, Incorrect Authorization, Exposure of Sensitive Information to an Authorized Actor, Insufficiently Protected Credentials, Use of Hard-coded Credentials, Cross-site Request Forgery, Out-of-bounds Write
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow a remote attacker to gain full system access.
## 3. TECHNICAL DETAILS
Suricata
ET EXPLOIT eMerge E3 Command Injection Inbound (CVE-2019-7256)
suricata·2021-08-22·CVSS 9.8
CVE-2019-7256 [CRITICAL] ET EXPLOIT eMerge E3 Command Injection Inbound (CVE-2019-7256)
ET EXPLOIT eMerge E3 Command Injection Inbound (CVE-2019-7256)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT eMerge E3 Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.method; content:"GET"; http.uri; content:"/card_scan"; startswith; fast_pattern; content:".php"; within:15; content:"=|60|"; reference:cve,2019-7256; classtype:attempted-admin; sid:2033757; rev:2; metadata:created_at 2021_08_22, cve CVE_2019_7256, confidence High, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_08, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
Suricata
ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)
suricata·2019-12-31·CVSS 9.8
CVE-2019-7256 [CRITICAL] ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)
ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; startswith; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029213; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_31, cve CVE_2019_7256, deployment Perimeter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movemen
Suricata
ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)
suricata·2019-12-30·CVSS 9.8
CVE-2019-7256 [CRITICAL] ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)
ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; startswith; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029207; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, cve CVE_2019_7256, deployment Perimeter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement,
Exploit-DB
eMerge E3 1.00-06 - Remote Code Execution
exploitdb·2019-11-12·CVSS 9.8
CVE-2019-7256 [CRITICAL] eMerge E3 1.00-06 - Remote Code Execution
eMerge E3 1.00-06 - Remote Code Execution
---
# Exploit Title: eMerge E3 1.00-06 - Remote Code Execution
# Google Dork: NA
# Date: 2018-09-11
# Exploit Author: LiquidWorm
# Vendor Homepage: http://linear-solutions.com/nsc_family/e3-series/
# Software Link: http://linear-solutions.com/nsc_family/e3-series/
# Version: 1.00-06
# Tested on: NA
# CVE : CVE-2019-7256
# Advisory: https://applied-risk.com/resources/ar-2019-009
# Paper: https://applied-risk.com/resources/i-own-your-building-management-system
# Advisory: https://applied-risk.com/resources/ar-2019-005
#!/usr/bin/env python
#
###################################################################
# lqwrm@metalgear:~/stuff$ python emergeroot1.py 192.168.1.2
#
# [email protected]:/spider/web/webroot$ id
# uid=1003(lighttpd) gid=0(root
Nuclei
eMerge E3 1.00-06 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2019-7256 [CRITICAL] eMerge E3 1.00-06 - Remote Code Execution
eMerge E3 1.00-06 - Remote Code Execution
Linear eMerge E3-Series devices are susceptible to remote code execution vulnerabilities.
Template:
id: CVE-2019-7256
info:
name: eMerge E3 1.00-06 - Remote Code Execution
author: pikpikcu
severity: critical
description: |
Linear eMerge E3-Series devices are susceptible to remote code execution vulnerabilities.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the latest security patch or update to a non-vulnerable version of eMerge E3.
reference:
- https://www.exploit-db.com/exploits/47619
- http://linear-solutions.com/nsc_family/e3-series/
- https://nvd.nist.gov/vuln/detail/CVE-2019-7256
- https://applied-risk.com/labs/advisories
- https://www
Metasploit
Linear eMerge E3-Series Access Controller Command Injection
metasploit
Linear eMerge E3-Series Access Controller Command Injection
Linear eMerge E3-Series Access Controller Command Injection
This module exploits a command injection vulnerability in the Linear eMerge E3-Series Access Controller. The Linear eMerge E3 versions `1.00-06` and below are vulnerable to unauthenticated command injection in card_scan_decoder.php via the `No` and `door` HTTP GET parameter. Successful exploitation results in command execution as the `root` user.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/155255/Linear-eMerge-E3-1.00-06-card_scan.php-Command-Injection.htmlhttp://packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.htmlhttp://packetstormsecurity.com/files/155272/Linear-eMerge-E3-Access-Controller-Command-Injection.htmlhttp://packetstormsecurity.com/files/170372/Linear-eMerge-E3-Series-Access-Controller-Command-Injection.htmlhttps://applied-risk.com/labs/advisorieshttps://www.applied-risk.com/resources/ar-2019-005http://packetstormsecurity.com/files/155255/Linear-eMerge-E3-1.00-06-card_scan.php-Command-Injection.htmlhttp://packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.htmlhttp://packetstormsecurity.com/files/155272/Linear-eMerge-E3-Access-Controller-Command-Injection.htmlhttp://packetstormsecurity.com/files/170372/Linear-eMerge-E3-Series-Access-Controller-Command-Injection.htmlhttps://applied-risk.com/labs/advisorieshttps://www.applied-risk.com/resources/ar-2019-005https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7256
2019-07-02
Published
2024-03-25
Added to CISA KEV
Exploited in the wild