Dmitry Turchenkov

**Name of the Vulnerable Software and Affected Versions** NCR SelfServ ATMs version APTRA XFS 05.01.00 **Description** The issue concerns a lack of encryption, authentication, and integrity verification of messages between the BNA and the host computer. This could allow an attacker with physical access to the internal components of the ATM to execute arbitrary code, including code that enables the attacker to commit deposit forgery. **Recommendations** For NCR SelfServ ATMs version APTRA XFS 05.01.00, consider implementing encryption, authentication, and integrity verification of messages between the BNA and the host computer to prevent arbitrary code execution. As a temporary workaround, restrict physical access to the internal components of the ATM to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** NCR SelfServ ATMs running APTRA XFS version 05.01.00 **Description** The issue concerns a lack of proper validation for software updates related to the bunch note acceptor (BNA) in NCR SelfServ ATMs. This allows an attacker with physical access to internal ATM components to restart the host computer and execute arbitrary code with SYSTEM privileges. The vulnerability is exploited during the boot process when the update mechanism searches for CAB archives on removable media and executes a specific file without validating the CAB archive's signature. **Recommendations** For NCR SelfServ ATMs running APTRA XFS version 05.01.00, consider restricting physical access to internal ATM components to minimize the risk of exploitation. As a temporary workaround, avoid using removable media for updates until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.