SecurityWeek’s ICS Cyber Security Conference in May 2019 witnessed the disclosure of over 100 vulnerabilities affecting Nortek’s building management and access control systems, including the Linear eMerge access control product. Notably, Nortek failed to promptly release patches, with an exploited critical unauthenticated remote code execution bug (CVE-2019-7256) making headlines in February 2020. The vulnerability attracted tens of thousands of daily exploit attempts and exposed over 2,300 devices to potential infection, risking DDoS attacks.
The US cybersecurity agency CISA published an advisory in July 2020, acknowledging Nortek’s release of patches for five vulnerabilities but noted the absence of the exploited CVE-2019-7256 from the list. Despite the acquisition of Nortek Security & Control by Nice in 2021, the vulnerabilities only surfaced on Nice’s radar in 2023, almost five years after initial disclosure, raising concerns about the prolonged exposure to cyber threats due to delayed remediation.
The delayed patching process of these critical vulnerabilities underscores the challenges in swift response to disclosed security flaws, potentially leaving organizations and individuals exposed to severe cyber risks for extended periods. This case serves as a reminder of the pressing need for proactive and timely vulnerability remediation to mitigate the impact of potential exploits and safeguard against cyber threats in the rapidly evolving threat landscape.
