Critical Vulnerabilities in Iagona’s ScrutisWeb ATM Software Could Enable Remote Attacks

August 14, 2023

Several serious security flaws have been found in the ScrutisWeb ATM fleet monitoring software, developed by French firm Iagona. These vulnerabilities could potentially be exploited to remotely hack ATMs. The vulnerabilities were discovered by members of the Synack Red Team and were fixed with the launch of ScrutisWeb version 2.1.38 in July 2023.

ScrutisWeb is a solution that enables organizations to oversee their banking or retail ATM fleets via a web browser, facilitating swift responses to any issues. The software can be utilized to monitor hardware, reboot or shut down terminals, send and receive files, and alter data remotely. ATM fleets, it should be noted, can encompass check deposit machines and payment terminals in restaurant chains.

The Synack researchers uncovered four types of vulnerabilities, which have been assigned the CVE identifiers CVE-2023-33871, CVE-2023-38257, CVE-2023-35763 and CVE-2023-35189. These vulnerabilities consist of path traversal, authorization bypass, hardcoded cryptographic key, and arbitrary file upload issues, which could be exploited by remote, unauthenticated attackers.

Threat actors could leverage these vulnerabilities to extract data from the server (including configurations, logs, and databases), execute arbitrary commands, and acquire encrypted administrator passwords, which they could then decrypt using a hardcoded key. The researchers stated that an attacker could exploit these vulnerabilities to gain admin access to the ScrutisWeb management console, monitor the activities of connected ATMs, enable management mode on the devices, upload files, and reboot or power them off.

Additionally, hackers could utilize the remote command execution vulnerability to cover their tracks by erasing relevant files. Neil Graves, one of the researchers involved in the project, explained that, “Additional exploitation from this foothold in the client’s infrastructure could occur, making this an internet-facing pivot point for a malicious actor. Further examination would be required to determine if custom software could be uploaded to individual ATMs to perform bank card exfiltration, Swift transfer redirection, or other malicious activities. However, such additional testing was out of scope of the assessment.”

The US Cybersecurity and Infrastructure Security Agency (CISA) has recently issued an advisory to notify organizations about these vulnerabilities. According to CISA, the affected product is used globally.

Latest News

• Mandiant Rolls Out Scanner to Detect Compromised Citrix Devices
• Critical Security Flaw in PostgreSQL Database System: CVE-2023-39417
• Colorado Alerts 4 Million Citizens of Data Breach Following IBM MOVEit Exploit
• Critical Remote Code Execution Vulnerability in Ghostscript: PoC Released
• Worldwide Industrial PLCs Vulnerable Due to CODESYS V3 RCE Flaws