Vulnerabilities in ScrutisWeb, including critical, expose remote ATMs to attack and theft
Take action: Most ATM management systems are locked in internal network. So the patch is not urgent but is VERY important. Don't ignore this issue - there is a critical severity vulnerability, and an attacker that may have just gotten in your endpoints to steal some data now has the option to cash out. Literally.
Learn More
ScrutisWeb ATM fleet monitoring software is found to have a set of vulnerabilities that expose managed ATMs to risk of theft. The discovery is credited to Synack researchers.
ScrutisWeb is a software platform developed for monitoring and managing ATM fleets, particularly in the banking and retail sectors. It allows businesses to remotely monitor and control their networks of automated teller machines (ATMs) and related devices through a web-based interface. ScrutisWeb allows businesses to monitor their banking or retail ATM fleets through a web browser, facilitating immediate responses to issues. It grants users remote monitoring capabilities, the ability to restart or shut down terminals, send and receive files, and manipulate data.
Synack researchers identified four distinct classes of vulnerabilities, each tracked its own CVE identification:
- CVE-2023-35189 (CVSS score of 10.0) involves remote code execution, potentially enabling an unauthorized user to submit and execute a malicious payload. It permits an unauthorized user to upload and subsequently execute any file, leading to command injection. Threat actors could exploit these vulnerabilities to access server data, execute arbitrary commands, retrieve encrypted administrator passwords, and decode them using a hardcoded key.
- CVE-2023-33871 (CVSS score of 7.5) is a directory traversal vulnerability potentially allowing an unauthorized user to access files located outside the server's webroot directory.
- CVE-2023-38257 (CVSS score of 7.5) is an unsafe direct object reference vulnerability possibly allowing an unauthorized user to access profile information like user login names and encrypted passwords.
- CVE-2023-35763 (CVSS score of 5.5) is a cryptographic vulnerability allowing an unauthorized user to decrypt encrypted passwords into plaintext.
The vulnerabilities might enable adversaries to log into the ScrutisWeb management panel as admins, monitor linked ATMs, activate management mode on devices, upload files, and reboot or shut down machines. Attackers could even use the remote command execution vulnerability to erase crucial data in order to cover their tracks.
These vulnerabilitie are addressed by the vendor with the release of ScrutisWeb version 2.1.38 in July 2023.
