Cybersecurity safety researchers are warning about an unpatched vulnerability in Good Linear eMerge E3 entry controller programs that would enable for the execution of arbitrary working system (OS) instructions.
The flaw, assigned the CVE identifier CVE-2024-9441, carries a CVSS rating of 9.8 out of a most of 10.0, in line with VulnCheck.
“A vulnerability in the Nortek Linear eMerge E3 allows remote unauthenticated attackers to cause the device to execute arbitrary command,” SSD Disclosure mentioned in an advisory for the flaw launched late final month, stating the seller has but to offer a repair or a workaround.
The flaw impacts the next variations of Nortek Linear eMerge E3 Entry Management: 0.32-03i, 0.32-04m, 0.32-05p, 0.32-05z, 0.32-07p, 0.32-07e, 0.32-08e, 0.32-08f, 0.32-09c, 1.00.05, and 1.00.07.
Proof-of-concept (PoC) exploits for the flaw have been launched following public disclosure, elevating issues that it could possibly be exploited by risk actors.
It is price noting that one other crucial flaw impacting E3, CVE-2019-7256 (CVSS rating: 10.0), was exploited by a risk actor often called Flax Hurricane to recruit vulnerable units into the now-dismantled Raptor Prepare botnet.
Though initially disclosed in Could 2019, the shortcoming wasn’t addressed by the corporate till earlier this March.
“But given the vendor’s slow response to the previous CVE-2019-7256, we don’t expect a patch for CVE-2024-9441 any time soon,” VulnCheck’s Jacob Baines mentioned. “Organizations using the Linear Emerge E3 series should act quickly to take these devices offline or isolate them.”
In an announcement shared with SSD Disclosure, Good is recommending prospects to observe safety greatest practices, together with implementing community segmentation, limit entry to the product from the web, and place it behind a community firewall.
