Advisory: Partial Login Bypass in UC eBanking Prime

NSIDE ATTACK LOGIC discovered multiple vulnerabilities that may allow attackers
to gain unauthorized access to the eBanking web interface, granting access to
sensitive data such as account statements. The vulnerability described in this
advisory is a partial authentication bypass involving the OTC component.


Details
=======

Affected Product: UC eBanking Prime OTC
Affected Versions: confirmed with 6.1.0 and 6.2.0
Vulnerability Types: Login Factor Bypass
Security Risk: HIGH
Vendor Status: FIXED
Fixed Version: unknown
Advisory Status: PUBLISHED 
Advisory URL: https://www.nsideattacklogic.de/advisories/NSIDE-SA-2025-001
Advisory URL (text only): https://www.nsideattacklogic.de/advisories/NSIDE-SA-2025-001.txt
CVE ID: pending


Introduction
============

UC eBanking Prime[1] is an on-premise electronic banking solution for business
clients of HypoVereinsbank/UniCredit. It consists of a web application hosted in
the client's intranet and a desktop application used for authentication called
OTC Client.


Description
===========

During regular use, the user provides a so-called "Keybag" file and a password
to the OTC Client desktop application. The OTC Client validates these inputs,
verifies that the account is not locked, requests an encrypted eight-digit
one-time code (OTC) from the server, decrypts it and displays it to the user. To
complete the authentication, the user enters this one-time code into the web
application's login form using their web browser.

This authentication process is subject to various design and implementation
flaws. Firstly, NSIDE found that the (encrypted) OTC can be requested regardless
of the account lockout state, since the corresponding check and the OTC request
are independent of each other. Secondly, the private key is stored in the Keybag
file without proper protection. The Keybag file is a PKCS#12-like structure that
contains various private keys and certificates. Some of these objects are
protected with the user's password, however this does not apply to the OTC
decryption key, which is "protected" with a static hard-coded password.

NSIDE published this vulnerability after being notified about the release of a
corresponding security patch which NSIDE could not confirm.


Risk 
====

Attackers with access to a user's Keybag file and network access to the Prime
server can request a one-time code (OTC) without knowledge of the corresponding
password. If the TOTP-based multifactor authentication is not enabled for that
acccount, the OTC grants the attacker direct access to the application on behalf
of that user, potentially revealing sensitive data such as account statements.
The attack can also be conducted against locked accounts.


Solution/Mitigation 
===================

The vulnerabilities are inherent to UC eBanking Prime's authentication process
and according to the vendor were mitigated in a security patch released in 
December 2025. NSIDE was not able to verify the solution.

A verified workaround is to enable the TOTP-based multi-factor authentication,
as NSIDE is currently not aware of any bypasses. Furthermore, clients must
ensure that the Keybag files themselves can only be accessed by authorized
users, for example through offline storage or proper file-system permissions.
Since the vulnerability also affects locked accounts, these mitigations must be
applied to those, too.


Disclosure timeline 
===================

2025-03-27: Vulnerability identified during an engagement
2025-04-07: NSIDE's client agrees to responsible disclosure process
2025-04-07: Vendor notified, requested secure communication channel
2025-04-07: Vendor demands report through client
2025-04-16: NSIDE submits report to vendor
2025-04-28: Asked vendor for update, report not sighted yet
2025-05-07: Asked vendor for update, report not sighted yet
2025-05-08: Vendor acknowledges report
2025-05-28: NSIDE informed vendor about publication deadline on July 17, 2025
2025-06-25: Vendor releases fix for related vulnerability[2]
2025-07-03: Vendor states intention to fix this vulnerability during a regular release in October 2025
2025-12-15: Advisory and associated blog post[3] published by NSIDE


Contact/Credits 
===============

The vulnerability was discovered during an assessment by Jonas Lieb of NSIDE
ATTACK LOGIC GmbH.


References 
==========

[0] https://www.nsideattacklogic.de/ 
[1] https://www.hypovereinsbank.de/hvb/unternehmen/konto-zahlungsverkehr/ebanking-loesungen
[2] https://www.nsideattacklogic.de/advisories/NSIDE-SA-2025-002.txt
[3] https://www.nsideattacklogic.de/mehrere-schwachstellen-in-uc-ebanking-prime/


Disclaimer 
==========

The information in this security advisory is provided "as is" and without
warranty of any kind. Details of this security advisory may be updated in order
to provide as accurate information as possible. The most recent version of this
security advisory can be found at NSIDE ATTACK LOGIC GmbH's website
(https://www.nsideattacklogic.de/).