+49 89 89082-110
NSIDE ATTACK LOGIC discovered multiple vulnerabilities that may allow attackers to gain unauthorized access to the eBanking web interface, granting access to sensitive data such as account statements. The vulnerability described in this advisory is a partial authentication bypass involving the OTC component.
Introduction
UC eBanking Prime is an on-premise electronic banking solution for business clients of HypoVereinsbank/UniCredit. It consists of a web application hosted in the client’s intranet and a desktop application used for authentication called OTC Client.
Description
During regular use, the user provides a so-called „Keybag“ file and a password to the OTC Client desktop application. The OTC Client validates these inputs, verifies that the account is not locked, requests an encrypted eight-digit one-time code (OTC) from the server, decrypts it and displays it to the user. To complete the authentication, the user enters this one-time code into the web application’s login form using their web browser.
This authentication process is subject to various design and implementation flaws. Firstly, NSIDE found that the (encrypted) OTC can be requested regardless of the account lockout state, since the corresponding check and the OTC request are independent of each other. Secondly, the private key is stored in the Keybag file without proper protection. The Keybag file is a PKCS#12-like structure that contains various private keys and certificates. Some of these objects are protected with the user’s password, however this does not apply to the OTC decryption key, which is „protected“ with a static hard-coded password.
NSIDE published this vulnerability after being notified about the release of a corresponding security patch which NSIDE could not confirm.
Risk
Attackers with access to a user’s Keybag file and network access to the Prime server can request a one-time code (OTC) without knowledge of the corresponding
password. If the TOTP-based multifactor authentication is not enabled for that acccount, the OTC grants the attacker direct access to the application on behalf
of that user, potentially revealing sensitive data such as account statements. The attack can also be conducted against locked accounts.
Solution/Mitigation
The vulnerabilities are inherent to UC eBanking Prime’s authentication process and according to the vendor were mitigated in a security patch released in December 2025. NSIDE was not able to verify the solution.
A verified workaround is to enable the TOTP-based multi-factor authentication, as NSIDE is currently not aware of any bypasses. Furthermore, clients must ensure that the Keybag files themselves can only be accessed by authorized users, for example through offline storage or proper file-system permissions. Since the vulnerability also affects locked accounts, these mitigations must be applied to those, too.
Disclosure timeline
2025-03-27: Vulnerability identified during an engagement
2025-04-07: NSIDE’s client agrees to responsible disclosure process
2025-04-07: Vendor notified, requested secure communication channel
2025-04-07: Vendor demands report through client
2025-04-16: NSIDE submits report to vendor
2025-04-28: Asked vendor for update, report not sighted yet
2025-05-07: Asked vendor for update, report not sighted yet
2025-05-08: Vendor acknowledges report
2025-05-28: NSIDE informed vendor about publication deadline on July 17, 2025
2025-06-25: Vendor releases fix for related vulnerability
2025-07-03: Vendor states intention to fix this vulnerability during a regular release in October 2025
2025-12-15: Advisory and associated blog post published by NSIDE
Contact/Credits
The vulnerability was discovered during an assessment by Jonas Lieb of NSIDE ATTACK LOGIC GmbH.
Disclaimer
The information in this security advisory is provided „as is“ and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The most recent version of this security advisory can be found at NSIDE ATTACK LOGIC GmbH’s website (https://www.nsideattacklogic.de/).