Cybersecurity researchers have uncovered a critical unpatched vulnerability in Nice Linear eMerge E3 access controller systems that could potentially allow the execution of arbitrary operating system commands.
The flaw, identified as CVE-2024-9441 and scoring 9.8 on the CVSS severity scale, has raised alarms across the cybersecurity community, as reported by VulnCheck.
According to an advisory released by SSD Disclosure, “A vulnerability in the Nortek Linear eMerge E3 allows remote unauthenticated attackers to cause the device to execute arbitrary commands,” shedding light on the absence of a fix or workaround from the vendor’s end.
The vulnerability affects various versions of Nortek Linear eMerge E3 Access Control, leaving devices vulnerable to exploitation. With proof-of-concept (PoC) exploits already in the wild, the risk of malicious actors leveraging this flaw is a growing concern.
Notably, a similar critical vulnerability, CVE-2019-7256, previously exploited by a threat actor named Flax Typhoon to build a botnet, underscores the urgency for organizations to address such security loopholes promptly.
VulnCheck’s Jacob Baines highlighted, “Given the vendor’s delayed response to previous vulnerabilities, a timely patch for CVE-2024-9441 may not be foreseeable. Organizations relying on Linear Emerge E3 series are advised to take proactive measures such as isolating or disabling these devices.”
Furthermore, Nice recommends the implementation of security best practices, including network segmentation, access restriction from the internet, and deployment behind a network firewall, to mitigate potential risks.