Reported: 04.05.10. The Tranax Remote Management Software (RMS) allows for the administration of common Automated Teller Machine (ATM) tasks from a remote location.
To successfully authenticate to a remote ATM, both the serial number and the RMS password are required. An attacker can leverage an implementation flaw that occurs when verifying credentials to craft a request that bypasses all authentication measures. The attacker could then perform remote management tasks with invalid credentials.
The RMS interface is enabled, by default, on a typical ATM installation.