Vulnerabilities in Iagona’s ScrutisWeb ATM fleet monitoring software were discovered by Synack Red Team members. The French company’s software allows organizations to oversee a large number of retail and banking ATMs from a browser.
Synack researchers discovered several vulnerabilities in the ScrutisWeb software, including arbitrary file upload, authorization bypass, and hardcoded cryptographic key issues. Unauthenticated remote attackers can exploit these flaws to collect data, execute commands, or obtain administrator passwords. Logging into the ScrutisWeb management console with admin privileges would enable attackers to alter connected ATMs, upload files, and reboot or turn off ATMs. The US Cybersecurity and Infrastructure Agency (CISA) issued an advisory, as the impacted product is used globally. The vulnerabilities were patched by Iagona in ScrutisWeb version 2.1.38.
Read More: