cbcvebase.
CVE-2019-7266
published 2019-07-02

CVE-2019-7266: Linear eMerge 50P/5000P devices allow Authentication Bypass.

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.63%
90.6th percentile
Linear eMerge 50P/5000P devices allow Authentication Bypass.

Affected

2 ranges
VendorProductVersion rangeFixed in
nortekcontrollinear_emerge_5000p_firmware<= 4.6.07
nortekcontrollinear_emerge_50p_firmware<= 4.6.07

Detection & IOCsextracted from sources · hover to see the quote

path/cgi-bin/websrunnings.cgi
path/cgi-bin/uplsysupdate.cgi
path/goform/saveS2ConfVals
path/person/upload/
path/usr/local/s2/web/upload/system/backup.upg
path/usr/local/s2/web/upload/pics/shell.jpg
path/usr/local/s2/web/cgi-bin/websrunnings.cgi
cookie.sessionId=../web/upload/system/backup.upg
cookieCookie: sudo <command>
filenameshell.jpg
filenamebackup.upg
commandtimeserver1=a.a%24%28bash%3C%2Fusr%2Flocal%2Fs2%2Fweb%2Fupload%2Fpics%2Fshell.jpg%29
  • Unauthenticated POST to /cgi-bin/uplsysupdate.cgi with arbitrary file upload (e.g., .upg extension containing session data) indicates exploitation of CVE-2019-7268 (unrestricted upload) chained with CVE-2019-7266 (auth bypass).
  • Command injection via the Cookie header value sent to /cgi-bin/websrunnings.cgi — monitor for HTTP requests to this CGI endpoint with a Cookie header containing OS commands (e.g., 'sudo whoami', 'sudo id').
  • Command injection payload in timeserver1 POST parameter to /goform/saveS2ConfVals: URL-decoded value contains $(...) bash subshell executing a file from the web upload directory.
  • A file named shell.jpg uploaded to /person/upload/ containing shell commands (not image data) is a strong indicator of exploitation of the unrestricted file upload vulnerability.
  • Presence of /usr/local/s2/web/cgi-bin/websrunnings.cgi (note the trailing 's') on the filesystem is a post-exploitation persistence indicator — this file is created by the exploit as a backdoor CGI.
  • The vulnerability exists due to insufficient validation of input data in authentication mechanism. A remote attacker can send a specially crafted HTTP request abusing the Cookie header value traversing to an arbitrary session file that bypasses authentication checks.
  • ·The exploit targets firmware version 4.6.07 (revision 79330) and prior. Devices running patched firmware v32-09a are not affected.
  • ·The webserver process runs as root, meaning any code execution via the CGI backdoor yields root-level privileges — detections should treat any process spawned from websrunnings.cgi as high severity.
  • ·The exploit chains five separate CVEs (CVE-2019-7266 through CVE-2019-7270); CVE-2019-7266 (auth bypass) is the entry point enabling all subsequent stages.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.