Nice Linear eMerge Command Injection Vulnerability (CVE-2019–7256)

Fortiguard Security Advisory

What is the vulnerability?

Cyber threat actors are actively targeting Linear eMerge E3-Series to exploit a 5-year-old critical vulnerability. The vulnerability tracked as CVE-2019-7256 is a command injection flaw that could allow an attacker to cause remote code execution and full access to the system.

The Nice Linear eMerge E3-Series is a popular access control system used in various commercial and industrial environments worldwide which underscores the importance of the potential widespread impact of this vulnerability.

What is the recommended Mitigation?

Nice has released a security bulletin that advises users to apply the latest firmware to mitigate the risk and recommends defensive measures to minimize the risk of exploitation.

What FortiGuard Coverage is available?

FortiGuard Labs has an existing IPS signature “Linear.eMerge.card_scan_decoder.php.Command.Injection” to block any attack attempts targeting the vulnerability and has an OT virtual patch available for auto-patching.
Fortinet customers remain protected by the vulnerability; however, it is recommended to apply firmware patches released by the vendor to mitigate any risks.