Nice reports critical flaw in Linear eMerge E3
Take action: If you are using Nice Linear eMerge E3 access control system, be aware that it's vulnerable. Make sure it's isolated from the internet and accessible only from trusted networks, and reach out to the vendor for patch timing.
Learn More
Nice has disclosed a critical security vulnerability affecting their Linear eMerge E3 access control system.
The flaw is tracked as CVE-2024-9441 (CVSS score 9.8) and is an improper neutralization of special elements used in OS commands (Command injection). The vulnerability allows remote and unauthenticated attackers to execute arbitrary OS commands through the login_id parameter when accessing the forgot_password functionality over HTTP.
The vulnerability enables attackers to execute arbitrary operating system commands on affected devices. This command injection doesn't require authentication and can be exploited remotely. Successful exploit provides complete control over the affected system
Linear eMerge E3: Versions 1.00-07 and prior are affected.
Since Nice has not provided a definitive timeline for a patch, the standard defensive measures to minimize exploitation apply:
- Minimize network exposure of devices, ensuring they are not accessible from the internet
- Place devices behind firewalls and isolate them from other networks
- Use secure methods such as Virtual Private Networks (VPNs) when remote access is required
