cbcvebase.
CVE-2022-31499
published 2022-08-25

CVE-2022-31499: Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
64.83%
99.1th percentile
Nortek Linear eMerge E3-Series devices before 0.32-08f allow an unauthenticated attacker to inject OS commands via ReaderNo. NOTE: this issue exists because of an incomplete fix for CVE-2019-7256.

Affected

1 ranges
VendorProductVersion rangeFixed in
nortekcontrolemerge_e3_firmware<= 0.32-09c

Detection & IOCsextracted from sources · hover to see the quote

url/card_scan.php?No=123&ReaderNo=`sleep%207`&CardFormatNo=123
path/card_scan.php
commandReaderNo=`sleep%207`
  • Time-based detection: HTTP GET to /card_scan.php with backtick-wrapped OS command in ReaderNo parameter causes a measurable delay (>=7s response duration) indicating successful command injection.
  • Shodan/FOFA/Google dork pivots to identify exposed eMerge devices: search for title 'eMerge', 'emerge', or 'linear emerge'.
  • Exploitation requires no authentication (PR:N, UI:N); any unauthenticated HTTP GET to /card_scan.php with a crafted ReaderNo parameter is sufficient to trigger OS command injection.
  • ·This vulnerability is an incomplete fix for CVE-2019-7256; devices patched for the earlier CVE may still be vulnerable if not updated to firmware >= 0.32-08f.
  • ·Affected scope is Nortek Linear eMerge E3-Series firmware versions before 0.32-08f only; devices running 0.32-08f or later are not affected.
  • ·Detection template uses a 15-second HTTP timeout and a 7-second sleep payload; network latency may affect time-based detection accuracy and produce false positives or negatives.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.