cbcvebase.
CVE-2019-7268
published 2019-07-02

CVE-2019-7268: Linear eMerge 50P/5000P devices allow Unauthenticated File Upload.

PriorityP278critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EXPLOIT
EPSS
6.48%
92.9th percentile
Linear eMerge 50P/5000P devices allow Unauthenticated File Upload.

Affected

2 ranges
VendorProductVersion rangeFixed in
nortekcontrollinear_emerge_5000p_firmware<= 4.6.07
nortekcontrollinear_emerge_50p_firmware<= 4.6.07

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/uplsysupdate.cgi
url/cgi-bin/websrunnings.cgi
path/usr/local/s2/web/cgi-bin/websrunnings.cgi
path/usr/local/s2/web/upload/pics/shell.jpg
path/usr/local/s2/web/upload/system/backup.upg
cookie.sessionId=../web/upload/system/backup.upg
filenameshell.jpg
filenamebackup.upg
url/goform/saveS2ConfVals
url/goform/restarts2Conf
url/person/upload/
commandtimeserver1=a.a%24%28bash%3C%2Fusr%2Flocal%2Fs2%2Fweb%2Fupload%2Fpics%2Fshell.jpg%29
cookieCookie: sudo <command>
  • Monitor HTTP requests to /cgi-bin/uplsysupdate.cgi for unauthenticated multipart file uploads, especially files with non-.upg extensions or files containing shell commands.
  • Alert on Cookie header values containing path traversal sequences (e.g., '../') in the .sessionId cookie field, used to bypass authentication by pointing to an attacker-controlled session file.
  • Detect HTTP requests to /cgi-bin/websrunnings.cgi with a Cookie header containing OS commands (e.g., 'sudo <cmd>'), which is the post-exploitation webshell execution mechanism.
  • Flag POST requests to /goform/saveS2ConfVals where the timeserver1 parameter contains shell metacharacters or command substitution sequences (e.g., URL-encoded '$(' or 'bash<').
  • Detect image uploads to /person/upload/ where the uploaded file contains shell script content rather than valid image data (e.g., file begins with shell commands instead of image magic bytes).
  • ·The exploit targets version 4.6.07 (revision 79330) and prior; patched version is v32-09a. Detections should be scoped to unpatched Linear eMerge 50P/5000P devices.
  • ·The webshell backdoor (/cgi-bin/websrunnings.cgi) is created by copying and patching the legitimate websrunning.cgi binary; presence of websrunnings.cgi (with trailing 's') on the filesystem is a strong post-compromise indicator.
  • ·CVE-2019-7268 (unauthenticated file upload) is chained with CVE-2019-7267 (path traversal in session ID), CVE-2019-7269 (command injection), and CVE-2019-7266 (improper authentication) for full RCE; detections should consider the full attack chain.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.