CVE-2023-28865

MEDIUM

Diebold Nixdorf VSS <4.2.0 SR02 - Info Disclosure

Title source: llm

Description

Diebold Nixdorf Vynamic Security Suite (VSS) before 3.3.0 SR15, 4.0.0 SR05, 4.1.0 SR03, and 4.2.0 SR02 fails to validate the directory contents of certain directories (e.g., ensuring the expected hash sum) during the Pre-Boot Authorization (PBA) process. This can be exploited by a physical attacker who is able to manipulate the contents of the system's hard disk.

References (2)

[Exploit, Third Party Advisory] https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Matt%20Burch%20-%20Where%E2%80%99s%20the%20Money%20-%20Defeating%20ATM%20Disk%20Encryption-white%20paper.pdf

[Vendor Advisory] https://www.dieboldnixdorf.com/en-us/banking/portfolio/software/security/

Scores

CVSS v3 6.6

EPSS 0.0032

EPSS Percentile 54.7%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-353 CWE-345

Status published

Products (1)

dieboldnixdorf/vynamic_security_suite < 3.3.0sr15

Published Aug 08, 2024

Tracked Since Feb 18, 2026