cbcvebase.
CVE-2022-38627
published 2023-01-03

CVE-2022-38627: Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a SQL injection…

PriorityP178critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.27%
89.9th percentile
Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a SQL injection vulnerability via the idt parameter.

Affected

6 ranges
VendorProductVersion rangeFixed in
niceforyoulinear_emerge_e3_access_control_firmware
niceforyoulinear_emerge_e3_access_control_firmware
niceforyoulinear_emerge_e3_access_control_firmware
niceforyoulinear_emerge_e3_access_control_firmware
niceforyoulinear_emerge_e3_access_control_firmware
niceforyoulinear_emerge_e3_access_control_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/badging/badge_template_print.php?tpl=aa.xml&idt=1337%20UNION%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,%27{{randstr}}%27||%27CVE%27||(7*7*7*7)||SWVersion,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20version
path/badging/badge_template_print.php
  • Exploit targets the `idt` parameter in badge_template_print.php via a UNION-based SQL injection selecting from the `version` table (SWVersion column). Look for GET requests to this path with UNION SELECT payloads in the `idt` query parameter.
  • Successful exploitation returns a response body containing the strings 'Print Badge' and 'btnPrint' alongside injected version data. Monitor HTTP responses from eMerge devices for these strings combined with SQL UNION output.
  • Shodan query 'http.title:"Linear eMerge"' can be used to identify internet-exposed Nortek Linear eMerge E3-Series devices that may be vulnerable.
  • The attack is unauthenticated (PR:N, UI:N per CVSS). No session or credentials are required; any unauthenticated GET request to the vulnerable endpoint with a crafted `idt` value should be treated as a high-confidence attack indicator.
  • ·Affected firmware versions are specifically 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e. Detection rules should be scoped to these versions where firmware fingerprinting is possible.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.