CVE-2020-9063 – This vulnerability allows attackers with physic... (How to Fix)

Q: What is the severity of CVE-2020-9063?

CVE-2020-9063 has a CVSS score of 7.6 (HIGH). This vulnerability allows attackers with physical access to NCR SelfServ ATMs to inject malicious payloads via USB HID communications to the currency dispenser, leading to arbitrary code execution with SYSTEM privileges. It affects ATMs running APTRA XFS version 05.01.00 or earlier. The attack requires physical access to internal ATM components.

📋 TL;DR

This vulnerability allows attackers with physical access to NCR SelfServ ATMs to inject malicious payloads via USB HID communications to the currency dispenser, leading to arbitrary code execution with SYSTEM privileges. It affects ATMs running APTRA XFS version 05.01.00 or earlier. The attack requires physical access to internal ATM components.

💻 Affected Systems

Products:

NCR SelfServ ATMs

Versions: APTRA XFS 05.01.00 and earlier

Operating Systems: Windows-based ATM operating systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects ATMs with physical access to internal USB connections between dispenser and host.

📦 What is this software?

Aptra Xfs by Ncr

View all CVEs affecting Aptra Xfs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of ATM host computer with SYSTEM privileges, enabling cash dispensing manipulation, data theft, or installation of persistent malware.

🟠

Likely Case

Unauthorized cash dispensing (jackpotting) attacks resulting in financial loss and ATM downtime.

🟢

If Mitigated

Limited impact due to physical security controls preventing access to internal components.

🌐 Internet-Facing: LOW - Attack requires physical access to internal ATM hardware, not network exploitation.

🏢 Internal Only: HIGH - Physical access to ATM internals bypasses all network security controls.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires physical tampering skills and specialized hardware/knowledge of ATM internals.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: APTRA XFS 05.01.01 and later

Vendor Advisory: https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf

Restart Required: Yes

Instructions:

1. Download APTRA XFS 05.01.01 or later from NCR support portal. 2. Apply update following NCR deployment procedures. 3. Restart ATM to activate changes. 4. Verify version update completed successfully.

🔧 Temporary Workarounds

Physical Security Enhancement

all

Strengthen physical access controls to prevent unauthorized access to ATM internal components.

USB Port Disablement

windows

Disable or physically block unused USB ports on ATM host computer if not required for operations.

🧯 If You Can't Patch

Implement strict physical security controls with tamper-evident seals and surveillance on ATM internals.
Deploy intrusion detection systems that monitor for unauthorized physical access to ATM cabinets.

🔍 How to Verify

Check if Vulnerable:

Check APTRA XFS version via ATM management interface or configuration files. Versions 05.01.00 or earlier are vulnerable.

Check Version:

Check APTRA XFS version via ATM diagnostic menu or configuration management tools specific to NCR ATMs.

Verify Fix Applied:

Confirm APTRA XFS version is 05.01.01 or later through system information or version check utilities.

📡 Detection & Monitoring

Log Indicators:

Unexpected USB device connections
Dispenser communication errors
System privilege escalation events

Network Indicators:

Unusual dispenser communication patterns (though primarily local)

SIEM Query:

ATM logs showing USB device connection events from unknown/disallowed hardware IDs

📊 Metadata

CVE ID: CVE-2020-9063

CVSS v3 Score: 7.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-120

Published: August 21, 2020

Last Updated: November 4, 2025

🔗 References

https://kb.cert.org/vuls/id/116713 Third Party Advisory,US Government Resource
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf Exploit,Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf Vendor Advisory
https://kb.cert.org/vuls/id/116713 Third Party Advisory,US Government Resource
https://www.kb.cert.org/vuls/id/116713
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Secure_white_paper-Dispenser_Security_Solution_September_2018.pdf Exploit,Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-10-S1_and_S2_Critical_Update.pdf Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/content-type/documents/NCR_Security_Alert-2018-13_APTRA_XFS_v5.pdf Vendor Advisory
https://www.ncr.com/content/dam/ncrcom/unsorted/jackpot_attacks_in_the_us_-_january_2018.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-9063, you might also want to check these: