EUVD-2023-51188CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Password Vulnerability in NCR Terminal Handler v.1.5.1 allows a remote attacker to execute arbitrary code via a crafted script to the UserService SOAP API function.
Analysis
CVE-2023-47032 is a critical remote code execution vulnerability in NCR Terminal Handler v1.5.1 that allows unauthenticated attackers to execute arbitrary code by sending malicious scripts to the UserService SOAP API endpoint. The vulnerability affects NCR's point-of-sale terminal handler software and carries a CVSS score of 9.8 (critical severity). There is no indication of active exploitation in the wild, but the network-accessible SOAP API, lack of authentication requirements, and high-severity CWE-94 (Improper Control of Generation of Code) suggest this poses significant risk to NCR terminal deployments.
Technical Context
The vulnerability resides in the UserService SOAP API function within NCR Terminal Handler, a component responsible for managing point-of-sale terminal operations and user authentication. The root cause is CWE-94 (Improper Control of Generation of Code), indicating the application dynamically executes or interprets user-supplied input without proper validation or sanitization. The SOAP API endpoint is network-accessible (AV:N per CVSS vector), meaning the vulnerable service is exposed without requiring special network positioning. The 'crafted script' mentioned in the description suggests the attacker can inject code (likely script-based) that is subsequently executed in the context of the terminal handler process. This is consistent with unsafe deserialization, code injection, or unsafe scripting engine usage patterns common in legacy enterprise POS systems.
Affected Products
NCR Terminal Handler version 1.5.1 is explicitly affected. The product is used in NCR point-of-sale and financial terminal deployments worldwide. Without vendor advisory details or CPE strings in the provided source data, the exact affected configurations cannot be pinpointed, but likely affected deployments include: NCR SelfServ ATMs, NCR FastLane checkout terminals, and other NCR POS systems running Terminal Handler v1.5.1. Organizations should cross-reference their NCR product inventory against the vendor's official CVE-2023-47032 advisory to identify specific affected models and configurations. The vulnerability affects installations where the UserService SOAP API is network-accessible.
Remediation
Immediate remediation steps: (1) Patch NCR Terminal Handler to the latest available version beyond 1.5.1—consult NCR's security advisory for the specific patched version number and availability. (2) If patching cannot be immediately deployed, implement network segmentation to restrict access to the UserService SOAP API endpoint (typically port 8080 or 443 depending on configuration) to trusted administrative networks only. Use firewall rules or WAF policies to block external connections. (3) Monitor SOAP API logs for suspicious script patterns or encoding anomalies. (4) Disable the UserService SOAP API if not required for operations. (5) Apply principle of least privilege to terminal handler service accounts. Consult NCR's official security bulletin and customer advisory portal for patch download links, detailed deployment instructions, and rollback procedures. Given the critical nature, patching should be prioritized in the next maintenance window.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today