CVE-2023-28725
Description
CVE-2023-28725 is a remote code execution vulnerability in General Bytes Crypto Application Server that allowed attackers to steal ~$1.5M in cryptocurrency by uploading a malicious Java application.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-28725 is a remote code execution vulnerability in General Bytes Crypto Application Server that allowed attackers to steal ~$1.5M in cryptocurrency by uploading a malicious Java application.
Vulnerability
CVE-2023-28725, tracked internally as BATM-4780, is a remote code execution vulnerability in General Bytes Crypto Application Server (CAS) version 20230120 and earlier, as distributed with General Bytes BATM devices. The vulnerability lies in the master service interface, which is designed to allow terminals to upload videos. An attacker can upload an arbitrary Java application to the /batm/app/admin/standalone/deployments directory via this interface, and the CAS will deploy and execute it with batm user privileges. The issue affects standalone CAS servers and the General Bytes Cloud service [1][2]. Fixed versions are 20221118.48 and 20230120.44 [1].
Exploitation
The attacker scanned Digital Ocean cloud hosting IP address space to identify running CAS services on port 7741, including the General Bytes Cloud service and other operators' servers [2]. By exploiting the master service interface, the attacker uploaded a malicious WAR file (e.g., hvqyhl.war) to the deployments directory, which was then automatically deployed and executed [1][2]. No authentication or special network position beyond network access to the CAS on port 7741 was required. The attacker deleted log files to conceal activity, indicated by time gaps in master.log and admin.log [1].
Impact
Successful exploitation gave the attacker ability to access the CAS database, read and decrypt API keys used for hot wallets and exchanges, send funds from hot wallets, download usernames and password hashes (and disable 2FA), and access terminal event logs to find instances where customers scanned private keys at ATMs [1][2]. The attacker stole approximately 56 BTC (worth roughly $1.5 million at the time) from hot wallets [3]. The breach affected both the General Bytes Cloud service and other operators' standalone servers [1].
Mitigation
General Bytes released fixed versions 20221118.48 and 20230120.44 to address the vulnerability [1]. Operators should immediately update their CAS to one of these fixed versions using the server upgrade process documented in the knowledge base [4]. If updating is not possible, operators are strongly advised to shut down their CAS server to prevent further exploitation [1]. The vulnerability was exploited in the wild in March 2023 and is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=20230120
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
7- arstechnica.com/information-technology/2023/03/hackers-drain-bitcoin-atms-of-1-5-million-by-exploiting-0-day-bug/mitre
- generalbytes.atlassian.net/wiki/spaces/ESD/pages/2885222430/Security+Incident+March+17-18th+2023mitre
- generalbytes.atlassian.net/wiki/spaces/ESD/pages/951418958/Update+CASmitre
- twitter.com/generalbytes/status/1637192687160897537mitre
- web3isgoinggreat.com/single/general-bytes-crypto-atms-exploited-for-over-1-6-millionmitre
- www.bleepingcomputer.com/news/security/general-bytes-bitcoin-atms-hacked-using-zero-day-15m-stolen/mitre
- www.generalbytes.com/en/support/changelogmitre
News mentions
0No linked articles in our index yet.