Security readout for executives and security teams
Plain-English summary
This issue affects NCR SelfServ ATMs running APTRA XFS 05.01.00 or earlier. If an attacker gains physical access inside the ATM, they may tamper with dispenser-to-host USB HID communications and run code with SYSTEM privileges. The business risk is highest for exposed, poorly monitored, or weakly controlled ATM estates.
Executive priority
Treat this as high priority for ATM operators because compromise could affect cash-handling systems. Urgency depends on fleet exposure, physical security, and whether affected APTRA XFS versions remain deployed.
Technical view
The CVE describes unauthenticated and integrity-unprotected USB HID communications between the currency dispenser and host computer. Malicious input can trigger a host-side buffer overflow, leading to arbitrary code execution as SYSTEM. The record maps to CWE-120 and does not provide CVSS scoring.
Likely exposure
Exposure is limited to NCR SelfServ ATMs using APTRA XFS 05.01.00 or earlier, especially where attackers could access internal ATM components.
Exploitation context
The source bundle does not show CISA KEV listing or confirmed active exploitation for this CVE. Exploitation requires physical access to internal components, but the resulting host privilege level is severe.
Researcher notes
Evidence supports a physical-access attack path against dispenser-to-host USB HID handling with SYSTEM-level code execution via buffer overflow. Public details in the bundle do not include CVSS, exploit status, or a universal remediation procedure.
Mitigation direction
- Inventory NCR SelfServ ATMs and APTRA XFS versions.
- Prioritize systems running APTRA XFS 05.01.00 or earlier.
- Review CERT VU#116713 and NCR security alerts for vendor guidance.
- Apply NCR-recommended updates or controls where applicable.
- Strengthen physical access controls for ATM interiors and service areas.
- Review dispenser security guidance from NCR before compensating-control decisions.
Validation and detection
- Confirm ATM model and installed APTRA XFS version.
- Check whether affected systems are at or below APTRA XFS 05.01.00.
- Verify vendor guidance has been reviewed for each affected ATM group.
- Confirm maintenance access and internal component access are controlled and logged.
- Review ATM monitoring for signs of unauthorized physical access or tampering.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-120: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupExecution behavior lookup
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
Open ATT&CK lookupCVE-2020-9063 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Unknown
- CVSS
- Not scored
- Known Exploited
- No
- Published
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS and timeline data
No CVSS vectors or timeline events were available in the normalized CVE source material.
Source materials
- CVE List V5 sourceCVE List V5
- https://kb.cert.org/vuls/id/116713CVE reference · x_refsource_MISC
- https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdfCVE reference · x_refsource_MISC
- https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdfCVE reference · x_refsource_MISC
- https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdfCVE reference · x_refsource_MISC
- https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdfCVE reference · x_refsource_MISC
- https://www.kb.cert.org/vuls/id/116713CVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
