Building access fixed 5 years after system breach disclosure

March 12, 2024
1 min read

TLDR:

Key Points:

  • Linear building access control products had vulnerabilities, including an exploited flaw, patched nearly five years after disclosure
  • A critical unauthenticated remote code execution bug, CVE-2019-7256, was exploited in attacks in 2020

Article Summary:

Vulnerabilities affecting Linear building access control products, including an exploited flaw, have been patched nearly five years after their disclosure. In 2019, over 100 vulnerabilities were disclosed by a researcher, but Nortek, one of the vendors, had not released patches. One of the vulnerabilities, CVE-2019-7256, was exploited in attacks in 2020. The US cybersecurity agency CISA published advisories, and by 2023, Nortek was acquired by Nice, but it took until 2023 for the vulnerabilities to be addressed. Nice released security bulletins in 2023 to address compromised devices. CISA warned about a dozen vulnerabilities in Linear eMerge E3 series in 2024. Nice confirmed releasing firmware patches to address these flaws.

The researcher, Gjoko Krstic, stated that Nice informed CISA in 2023 of ongoing work on securing impacted devices. Nice confirmed releasing firmware patches to address the vulnerabilities. The company stated that the vulnerabilities were limited to systems deployed outside a firewall, and no sensitive data was accessed. Nice urged customers to install firmware updates to mitigate the vulnerabilities.

Latest from Blog

EU push for unified incident report rules

TLDR: The Federation of European Risk Management Associations (FERMA) is urging the EU to harmonize cyber incident reporting requirements ahead of new legislation. Upcoming legislation such as the NIS2 Directive, DORA, and