HQ/EMEAFind out how we can help your business
The Iagona ScrutisWeb ATM, a fleet monitoring software, has shown several vulnerabilities that could allow hackers to exploit and gain remote access to ATMs. Researchers discovered the flaws last month. Fortunately, the software provider patched the bug after releasing the ScrutisWeb version 2.1.38.
This French company-developed product is a software solution that enables organisations to monitor banking or retail ATM fleets from a web browser, to respond to any issues quickly.
Users could use the solution to reboot or shut down a terminal, send or receive files, monitor hardware, and change data remotely. The researchers also noted that ATM fleets could include check deposit machines and payment terminals in a restaurant chain.
The Iagona ScrutisWeb has exhibited multiple vulnerabilities.
According to investigations, the Iagona ScrutisWeb has four vulnerabilities. The researchers identify these flaws as CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189.
The flaws include several capabilities that unauthenticated hackers could exploit, such as path traversal, authorisation bypass, hardcoded cryptographic key, and arbitrary file upload.
Additionally, attackers could use the bugs to acquire data from the flawed server, run arbitrary commands, harvest encrypted admin passwords, and decrypt them via hardcoded keys. Furthermore, the researchers claimed that an unauthorised individual could utilise the vulnerabilities to log into the ScrutisWeb management console as an administrator and monitor the activities of linked ATMs, enable management mode on the devices, and upload files.
Threat actors could also exploit the remote command execution flaw to obfuscate their tracks by removing relevant archives. Separate research also believes that there are additional exploits once threat actors acquire a foothold in a flawed infrastructure. Hence, the vulnerabilities could provide an internet-facing pivot point for a malicious attacker.
Experts claimed that analysts should further examine whether hackers could upload the custom software to individual ATMs to execute bank card exfiltration, transfer redirection, and other malicious activities. Unfortunately, the researchers who discovered the flaws said that such a procedure is out of their scope of assessment.
CISA has already published an advisory to raise awareness for every organisation about these flaws. The concern about these vulnerabilities is that the affected product is present worldwide.
