CVE-2019-7256 – CVE-2019-7256 is a command injection vulnerabil... (How to Fix)

Q: What is the severity of CVE-2019-7256?

CVE-2019-7256 has a CVSS score of 9.8 (CRITICAL). CVE-2019-7256 is a command injection vulnerability in Linear eMerge E3-Series access control devices that allows attackers to execute arbitrary commands on the system. This affects organizations using these physical security devices for building access control. Attackers can potentially gain full control of the access controller system.

📋 TL;DR

CVE-2019-7256 is a command injection vulnerability in Linear eMerge E3-Series access control devices that allows attackers to execute arbitrary commands on the system. This affects organizations using these physical security devices for building access control. Attackers can potentially gain full control of the access controller system.

💻 Affected Systems

Products:

Linear eMerge E3-Series Access Controllers

Versions: Version 1.00-06 and likely earlier versions

Operating Systems: Embedded Linux-based system

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web interface components card_scan.php and card_scan_decoder.php. These are typically accessible via the device's management interface.

📦 What is this software?

Linear Emerge Elite Firmware by Nortekcontrol

View all CVEs affecting Linear Emerge Elite Firmware →

Linear Emerge Essential Firmware by Nortekcontrol

View all CVEs affecting Linear Emerge Essential Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of access control system allowing attackers to unlock doors, disable security systems, pivot to internal networks, and maintain persistent access to physical facilities.

🟠

Likely Case

Unauthorized access to building areas, potential data theft from connected systems, and disruption of physical security operations.

🟢

If Mitigated

Limited impact if devices are properly segmented and monitored, though physical security could still be compromised.

🌐 Internet-Facing: HIGH - These devices are often exposed to the internet for remote management, making them prime targets for attackers.

🏢 Internal Only: MEDIUM - Even internally, compromised access controllers can provide footholds for lateral movement and physical security breaches.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts exist. The vulnerability requires no authentication and has simple exploitation vectors via HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Linear (now Nortek Security & Control) for updated firmware

Vendor Advisory: https://applied-risk.com/labs/advisories

Restart Required: Yes

Instructions:

1. Contact Linear/Nortek for latest firmware. 2. Backup current configuration. 3. Apply firmware update via web interface or console. 4. Verify update and restore configuration if needed. 5. Test system functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate access controllers from internet and restrict network access

Web Interface Restriction

linux

Block access to vulnerable PHP files via web server configuration

LocationMatch "^/card_scan\.php$"
Deny from all
LocationMatch "^/card_scan_decoder\.php$"
Deny from all

🧯 If You Can't Patch

Implement strict network segmentation - place devices in isolated VLAN with no internet access
Deploy web application firewall (WAF) rules to block command injection patterns

🔍 How to Verify

Check if Vulnerable:

Check if /card_scan.php or /card_scan_decoder.php endpoints accept unsanitized input parameters. Test with safe payloads like 'id=test;echo vulnerable' and observe system response.

Check Version:

Check web interface footer or system information page for firmware version. SSH/Telnet access may show version via 'cat /etc/version' or similar.

Verify Fix Applied:

Attempt exploitation with known payloads after patch. Verify PHP files properly sanitize input and no longer execute system commands.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in system logs
Multiple failed login attempts followed by successful access
Suspicious PHP file access patterns

Network Indicators:

HTTP requests to card_scan.php with shell metacharacters
Outbound connections from access controller to unexpected destinations
Unusual port scanning from controller IP

SIEM Query:

source="access_controller" AND (uri="*card_scan*" AND (param="*;*" OR param="*|*" OR param="*`*"))

📊 Metadata

CVE ID: CVE-2019-7256

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

Published: July 2, 2019

Last Updated: November 6, 2025

🔗 References

http://packetstormsecurity.com/files/155255/Linear-eMerge-E3-1.00-06-card_scan.php-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/155272/Linear-eMerge-E3-Access-Controller-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/170372/Linear-eMerge-E3-Series-Access-Controller-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://applied-risk.com/labs/advisories Not Applicable
https://www.applied-risk.com/resources/ar-2019-005 Third Party Advisory
http://packetstormsecurity.com/files/155255/Linear-eMerge-E3-1.00-06-card_scan.php-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/155256/Linear-eMerge-E3-1.00-06-card_scan_decoder.php-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/155272/Linear-eMerge-E3-Access-Controller-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/170372/Linear-eMerge-E3-Series-Access-Controller-Command-Injection.html Exploit,Third Party Advisory,VDB Entry
https://applied-risk.com/labs/advisories Not Applicable
https://www.applied-risk.com/resources/ar-2019-005 Third Party Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7256 US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-7256, you might also want to check these: