LiveActive security incident?Get immediate response
CVE Record

CVE-2020-9063: NCR SelfServ ATMs running APTRA XFS 05.01.00 or earlier do not authenticate or protect the integrity of USB...

NCR SelfServ ATMs running APTRA XFS 05.01.00 or earlier do not authenticate or protect the integrity of USB HID communications between the currency dispenser and the host computer, permitting an attacker with physical access to internal ATM components the ability to inject a malicious payload and execute arbitrary code with SYSTEM privileges on the host computer by causing a buffer overflow on the host.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

This issue affects NCR SelfServ ATMs running APTRA XFS 05.01.00 or earlier. If an attacker gains physical access inside the ATM, they may tamper with dispenser-to-host USB HID communications and run code with SYSTEM privileges. The business risk is highest for exposed, poorly monitored, or weakly controlled ATM estates.

Executive priority

Treat this as high priority for ATM operators because compromise could affect cash-handling systems. Urgency depends on fleet exposure, physical security, and whether affected APTRA XFS versions remain deployed.

Technical view

The CVE describes unauthenticated and integrity-unprotected USB HID communications between the currency dispenser and host computer. Malicious input can trigger a host-side buffer overflow, leading to arbitrary code execution as SYSTEM. The record maps to CWE-120 and does not provide CVSS scoring.

Likely exposure

Exposure is limited to NCR SelfServ ATMs using APTRA XFS 05.01.00 or earlier, especially where attackers could access internal ATM components.

Exploitation context

The source bundle does not show CISA KEV listing or confirmed active exploitation for this CVE. Exploitation requires physical access to internal components, but the resulting host privilege level is severe.

Researcher notes

Evidence supports a physical-access attack path against dispenser-to-host USB HID handling with SYSTEM-level code execution via buffer overflow. Public details in the bundle do not include CVSS, exploit status, or a universal remediation procedure.

Mitigation direction

  • Inventory NCR SelfServ ATMs and APTRA XFS versions.
  • Prioritize systems running APTRA XFS 05.01.00 or earlier.
  • Review CERT VU#116713 and NCR security alerts for vendor guidance.
  • Apply NCR-recommended updates or controls where applicable.
  • Strengthen physical access controls for ATM interiors and service areas.
  • Review dispenser security guidance from NCR before compensating-control decisions.

Validation and detection

  • Confirm ATM model and installed APTRA XFS version.
  • Check whether affected systems are at or below APTRA XFS 05.01.00.
  • Verify vendor guidance has been reviewed for each affected ATM group.
  • Confirm maintenance access and internal component access are controlled and logged.
  • Review ATM monitoring for signs of unauthorized physical access or tampering.
Prepared
Confidence
medium
Sources
5

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-120: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Execution behavior lookup

The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2020-9063 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
0Timeline events
0ADP providers
7Source links

CVSS and timeline data

No CVSS vectors or timeline events were available in the normalized CVE source material.

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
NCRSelfServ ATMAPTRA XFSListed
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-120 · source CWE mapping

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.