CVE-2019-7268 – CVE-2019-7268 allows unauthenticated attackers ... (How to Fix)

Q: What is the severity of CVE-2019-7268?

CVE-2019-7268 has a CVSS score of 10.0 (CRITICAL). CVE-2019-7268 allows unauthenticated attackers to upload arbitrary files to Linear eMerge 50P/5000P access control systems, leading to remote code execution. This affects organizations using these physical security devices for building access control. The vulnerability enables complete system compromise without requiring valid credentials.

📋 TL;DR

CVE-2019-7268 allows unauthenticated attackers to upload arbitrary files to Linear eMerge 50P/5000P access control systems, leading to remote code execution. This affects organizations using these physical security devices for building access control. The vulnerability enables complete system compromise without requiring valid credentials.

💻 Affected Systems

Products:

Linear eMerge 50P
Linear eMerge 5000P

Versions: Version 4.6.07 and earlier

Operating Systems: Embedded Linux-based system

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable; no special configuration required for exploitation.

📦 What is this software?

Linear Emerge 5000p Firmware by Nortekcontrol

View all CVEs affecting Linear Emerge 5000p Firmware →

Linear Emerge 50p Firmware by Nortekcontrol

View all CVEs affecting Linear Emerge 50p Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover allowing attackers to disable physical access controls, steal sensitive data, pivot to internal networks, and potentially cause physical security breaches.

🟠

Likely Case

Remote code execution leading to data theft, system disruption, and installation of persistent backdoors on access control systems.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external exploitation, though internal threats remain.

🌐 Internet-Facing: HIGH - Devices exposed to internet are trivially exploitable without authentication.

🏢 Internal Only: HIGH - Even internally, unauthenticated exploitation allows lateral movement and system compromise.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts available; exploitation requires only network access to the device.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.6.08 and later

Vendor Advisory: https://www.applied-risk.com/resources/ar-2019-006

Restart Required: Yes

Instructions:

1. Contact Linear/Johnson Controls for updated firmware. 2. Backup configuration. 3. Apply firmware update via web interface. 4. Restart device. 5. Verify version update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate eMerge devices from internet and restrict internal network access

Firewall Rules

linux

Block all external access to eMerge web interface ports (typically 80/443)

iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP

🧯 If You Can't Patch

Immediately disconnect from internet and implement strict network segmentation
Deploy web application firewall with file upload filtering rules

🔍 How to Verify

Check if Vulnerable:

Check web interface for version number; versions 4.6.07 and earlier are vulnerable. Attempt file upload to /upload endpoint without authentication.

Check Version:

curl -k https://<device-ip>/version or check web interface login page

Verify Fix Applied:

Verify firmware version is 4.6.08 or later via web interface. Test that unauthenticated file upload to /upload endpoint is blocked.

📡 Detection & Monitoring

Log Indicators:

Unauthenticated POST requests to /upload endpoint
Unusual file creation in web directories
Shell command execution from web user

Network Indicators:

File upload traffic to eMerge devices without authentication
Unexpected outbound connections from eMerge devices

SIEM Query:

source="eMerge" AND (uri="/upload" OR method="POST") AND user="-"

📊 Metadata

CVE ID: CVE-2019-7268

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-434

Published: July 2, 2019

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/155250/Linear-eMerge50P-5000P-4.6.07-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://applied-risk.com/labs/advisories Broken Link,Not Applicable,Third Party Advisory
https://www.applied-risk.com/resources/ar-2019-006 Third Party Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-184-01 Third Party Advisory,US Government Resource
http://packetstormsecurity.com/files/155250/Linear-eMerge50P-5000P-4.6.07-Remote-Code-Execution.html Exploit,Third Party Advisory,VDB Entry
https://applied-risk.com/labs/advisories Broken Link,Not Applicable,Third Party Advisory
https://www.applied-risk.com/resources/ar-2019-006 Third Party Advisory
https://www.us-cert.gov/ics/advisories/icsa-20-184-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-7268, you might also want to check these: