Cybersecurity security researchers have warned of an unpatched vulnerability in Nice Linear eMerge E3 access controller systems that could allow the execution of arbitrary operating system (OS) commands.
The vulnerability has been assigned a CVE ID CVE-2024-9441has a CVSS score of 9.8 out of a maximum of 10.0, according to VulnCheck.
“Vulnerability in the Nortek Linear eMerge E3 allows remote, unauthenticated attackers to cause the device to execute an arbitrary command,” SSD disclosed. said a flaw advisory issued late last month says the vendor has yet to provide a fix or workaround.
The flaw affects the following Nortek Linear eMerge E3 Access Control versions: 0.32-03i, 0.32-04m, 0.32-05p, 0.32-05z, 0.32-07p, 0.32-07e, 0.32-08e, 0.32-08f, 0.32-09c, 1.00. 05 and 1.00.07.
Proof-of-Concept (PoC) exploits for the flaw were published after the public disclosure, raising concerns that it could be exploited by threat actors.
It should be noted that the other critical flaw that affected E3, CVE-2019-7256 (CVSS score: 10.0), was is exploited by a threat actor known as Linen typhoon to recruit susceptible devices into the now dismantled Raptor Train botnet.
Although originally revealed in May 2019, there was no shortage addressed company yet earlier this March.
“But given the slow vendor response to the previous CVE-2019-7256, we don’t expect a fix for CVE-2024-9441 anytime soon,” said VulnCheck’s Jacob Baines. “Organizations using the Linear Emerge E3 series should act quickly to take these devices offline or isolate them.”
In a statement shared with SSD Disclosure, Nice advises customers to follow best security practices, including ensuring network segmentation, restricting access to the product from the Internet, and placing it behind a network firewall.