cbcvebase.
CVE-2019-7256
published 2019-07-02

CVE-2019-7256: Linear eMerge E3-Series devices allow Command Injections.

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-04-15
Exploited in the wild
EPSS
97.14%
99.9th percentile
Linear eMerge E3-Series devices allow Command Injections.

Affected

3 ranges
VendorProductVersion rangeFixed in
nortekcontrolemerge_e3_firmware<= 0.32-09c
nortekcontrollinear_emerge_elite_firmware<= 1.00-06
nortekcontrollinear_emerge_essential_firmware<= 1.00-06

Detection & IOCsextracted from sources · hover to see the quote

url/card_scan.php?No=30&ReaderNo=%60cat%20/etc/passwd%20%3E%20{{file}}.txt%60
path/card_scan.php
path/card_scan_decoder.php
commandGET /card_scan.php?No=30&ReaderNo=%60<cmd> > test.txt%60
commandGET /card_scan.php?No=30&ReaderNo=%60rm test.txt%60
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Inbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; startswith; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029207; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_30, cve CVE_2019_7256, deployment Perimeter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
snort
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT Linear eMerge E3 Unauthenticated Command Injection Outbound (CVE-2019-7256)"; flow:established,to_server; http.uri; content:"/card_scan_decoder.php?No="; startswith; reference:cve,2019-7256; reference:url,packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html; classtype:attempted-admin; sid:2029213; rev:3; metadata:affected_product Linux, attack_target IoT, created_at 2019_12_31, cve CVE_2019_7256, deployment Perimeter, signature_severity Major, tag CISA_KEV, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_13, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services;)
  • Detect HTTP requests targeting /card_scan_decoder.php with the 'No=' parameter — the primary injection point for CVE-2019-7256. Both inbound and outbound traffic should be monitored (ET SIDs 2029207 and 2029213).
  • Also monitor /card_scan.php with the ReaderNo parameter containing backtick-encoded shell command injection patterns (URL-encoded backticks %60).
  • Exploitation results in command execution as root; look for the presence of /etc/passwd content (regex: root:.*:0:0:) in HTTP responses from the device.
  • Shodan/FOFA/Google exposure queries can identify internet-facing eMerge E3 devices: search for title 'eMerge' or 'emerge'.
  • The exploit is unauthenticated — no session or credentials are required. Any HTTP GET to the vulnerable endpoints from external IPs should be treated as suspicious.
  • The exploit drops a temporary output file (test.txt) in the web root and retrieves it via a second GET request — look for sequential GET requests to /card_scan.php followed by GET /test.txt.
  • ·The Nuclei template targets /card_scan.php, while the Metasploit module and Snort rules target /card_scan_decoder.php — both endpoints are vulnerable and should be covered in detection logic.
  • ·Affected versions are 1.00-06 and below; the Metasploit module confirms this scope.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.