Cybersecurity safety researchers are warning about an unpatched vulnerability in Good Linear eMerge E3 entry controller programs that might enable for the execution of arbitrary working system (OS) instructions.
The flaw, assigned the CVE identifier CVE-2024-9441, carries a CVSS rating of 9.8 out of a most of 10.0, based on VulnCheck.
“A vulnerability within the Nortek Linear eMerge E3 permits distant unauthenticated attackers to trigger the system to execute arbitrary command,” SSD Disclosure stated in an advisory for the flaw launched late final month, stating the seller has but to supply a repair or a workaround.
The flaw impacts the next variations of Nortek Linear eMerge E3 Entry Management: 0.32-03i, 0.32-04m, 0.32-05p, 0.32-05z, 0.32-07p, 0.32-07e, 0.32-08e, 0.32-08f, 0.32-09c, 1.00.05, and 1.00.07.
Proof-of-concept (PoC) exploits for the flaw have been launched following public disclosure, elevating considerations that it may very well be exploited by menace actors.
It is price noting that one other vital flaw impacting E3, CVE-2019-7256 (CVSS rating: 10.0), was exploited by a menace actor often called Flax Hurricane to recruit vulnerable units into the now-dismantled Raptor Prepare botnet.
Though initially disclosed in Could 2019, the shortcoming wasn’t addressed by the corporate till earlier this March.
“However given the seller’s gradual response to the earlier CVE-2019-7256, we do not anticipate a patch for CVE-2024-9441 any time quickly,” VulnCheck’s Jacob Baines stated. “Organizations utilizing the Linear Emerge E3 sequence ought to act shortly to take these units offline or isolate them.”
In an announcement shared with SSD Disclosure, Good is recommending prospects to comply with safety finest practices, together with imposing community segmentation, limit entry to the product from the web, and place it behind a community firewall.