Nice‘s Linear eMerge E3-Series, in versions 1.00-06 and prior, is susceptible to severe vulnerabilities, ranging from path traversal to cross-site scripting and OS command injection. Exploitation of these vulnerabilities, with a cumulative CVSS v3 score of 10.0, could empower remote attackers to gain complete control over the system. The affected products, deployed worldwide in commercial facilities, are urged to upgrade to the latest firmware as a mitigation measure.
The specific vulnerabilities include improper limitation of a pathname leading to path traversal, file inclusion through path traversal, cross-site scripting, OS command injection, unrestricted upload of malicious files, incorrect authorization, exposure of sensitive information, insufficiently protected credentials, use of hard-coded credentials, and cross-site request forgery. Each vulnerability is associated with a distinct CVE identifier and CVSS score.
Security researcher Gjoko Krstic from Zero Science Lab discovered and reported these vulnerabilities to CISA. Nice recommends users follow defensive measures like minimizing network exposure, using secure remote access methods, changing default credentials, and updating VPNs. The Critical Infrastructure Sectors, especially commercial facilities, are reminded to perform impact analysis and risk assessment before implementing defensive measures.
Reference:
