CVE-2023-47020 – This vulnerability in NCR Terminal Handler v1.5... (How to Fix)

Q: What is the severity of CVE-2023-47020?

CVE-2023-47020 has a CVSS score of 8.8 (HIGH). This vulnerability in NCR Terminal Handler v1.5.1 allows attackers to chain multiple CSRF attacks to create new user accounts and add them to administrator groups. Attackers can exploit an insecure WSDL function that accepts custom content types without proper security controls. Organizations using NCR Terminal Handler v1.5.1 are affected.

📋 TL;DR

This vulnerability in NCR Terminal Handler v1.5.1 allows attackers to chain multiple CSRF attacks to create new user accounts and add them to administrator groups. Attackers can exploit an insecure WSDL function that accepts custom content types without proper security controls. Organizations using NCR Terminal Handler v1.5.1 are affected.

💻 Affected Systems

Products:

NCR Terminal Handler

Versions: v1.5.1

Operating Systems: Not specified

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the WSDL interface that lacks proper security controls for custom content types.

📦 What is this software?

Terminal Handler by Ncratleos

View all CVEs affecting Terminal Handler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining administrative privileges, potentially leading to data theft, system manipulation, or further network penetration.

🟠

Likely Case

Unauthorized administrative account creation leading to privilege escalation and potential data access or system configuration changes.

🟢

If Mitigated

Limited impact with proper CSRF protections and input validation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the attacker to trick an authenticated user into visiting a malicious page, but the exploit itself is straightforward once the CSRF attack is initiated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Check NCR vendor resources for updates.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF tokens to all state-changing requests and validate them server-side.

Restrict WSDL Access

all

Limit access to the WSDL interface to trusted networks or disable it if not required.

🧯 If You Can't Patch

Implement network segmentation to isolate NCR Terminal Handler from untrusted networks
Deploy web application firewall (WAF) with CSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running NCR Terminal Handler v1.5.1 and review WSDL interface for CSRF protections.

Check Version:

Check application documentation or configuration files for version information.

Verify Fix Applied:

Test if CSRF tokens are required for user creation and group assignment operations.

📡 Detection & Monitoring

Log Indicators:

Unexpected user account creation
Administrative group membership changes
WSDL interface access from unusual sources

Network Indicators:

CSRF attack patterns in web traffic
Requests to user creation endpoints without proper referrer headers

SIEM Query:

Search for: (event_type="user_creation" OR event_type="group_membership_change") AND source_ip NOT IN trusted_networks

📊 Metadata

CVE ID: CVE-2023-47020

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: February 8, 2024

Last Updated: June 10, 2025

🔗 References

https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47020 Third Party Advisory
https://youtu.be/pGB3LKdf64w Exploit
https://github.com/Patrick0x41/Security-Advisories/tree/main/CVE-2023-47020 Third Party Advisory
https://youtu.be/pGB3LKdf64w Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-47020, you might also want to check these: