cbcvebase.
CVE-2019-7269
published 2019-07-02

CVE-2019-7269: Linear eMerge 50P/5000P devices allow Authenticated Command Injection with root Code Execution.

PriorityP279critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
40.01%
98.4th percentile
Linear eMerge 50P/5000P devices allow Authenticated Command Injection with root Code Execution.

Affected

2 ranges
VendorProductVersion rangeFixed in
nortekcontrollinear_emerge_5000p_firmware<= 4.6.07
nortekcontrollinear_emerge_50p_firmware<= 4.6.07

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/websrunnings.cgi
url/cgi-bin/uplsysupdate.cgi
url/goform/saveS2ConfVals
url/person/upload/
path/usr/local/s2/web/cgi-bin/websrunnings.cgi
filenameshell.jpg
filenamebackup.upg
cookieCookie: sudo <command>
commandtimeserver1=a.a%24%28bash%3C%2Fusr%2Flocal%2Fs2%2Fweb%2Fupload%2Fpics%2Fshell.jpg%29
  • Monitor HTTP requests to /cgi-bin/uplsysupdate.cgi for unauthenticated POST requests uploading .upg files — this endpoint allows unauthenticated file upload used to plant a malicious session file.
  • Detect path traversal in the .sessionId cookie value — specifically sequences containing '../' pointing outside the session directory (e.g., '../web/upload/system/backup.upg').
  • Alert on HTTP Cookie headers containing the string 'sudo' followed by OS commands sent to /cgi-bin/websrunnings.cgi — this is the post-exploitation remote shell mechanism.
  • Detect POST requests to /goform/saveS2ConfVals where the timeserver1 parameter contains shell metacharacters or URL-encoded command substitution (e.g., %24%28 = '$(' ).
  • Monitor for creation or access of /usr/local/s2/web/cgi-bin/websrunnings.cgi — this file does not exist by default and is created by the exploit as a persistent web shell.
  • ·The exploit targets Linear eMerge 50P/5000P version 4.6.07 (revision 79330) and prior; devices running patched firmware v32-09a are not vulnerable.
  • ·CVE-2019-7269 (command injection) chains with CVE-2019-7266 (auth bypass via cookie path traversal), CVE-2019-7267 (path traversal), and CVE-2019-7268 (unrestricted file upload) for full unauthenticated RCE as root.
  • ·The webserver process runs as root, meaning any code execution via the web shell yields immediate root privileges without further escalation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.