InfoSecBulletin Cybersecurity for mankind
A security researcher has unveiled a major vulnerability in a popular payment terminal that could allow attackers to take full control of the device in less than a minute. The Worldline Yomani XR model is used in grocery stores, cafes, repair shops, and various businesses in Switzerland.
The terminal’s maintenance port, despite being secure, exposes an unsecured root shell that allows remote access to anyone with brief physical access.
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Critical Cisco ISE Vulnerability Enables Remote Code Execution
F5 Patches NGINX Flaw for Code Execution and DoS Attacks
FortiBleed: 70,000 Fortinet Firewalls Compromised Globally
New Rokarolla Android malware hits 217 banking and crypto apps
Phishing Campaign Exploits Legitimate Microsoft Login Flow
ALERT
Cisco SD-WAN Zero-Day, FortiSandbox and cPanel flaws exploited in attacks
“Panthalassa” builds floating AI data centers powered by ocean waves
Critical Wazuh Vuln Enables Alert Tampering and Evidence Deletion
Unlocked Root Shell and Accessible Debug Port:
When first powered on, the terminal appears to behave normally. A quick network scan yields no open ports.
An internal analysis found an unused debug connector on the device’s back panel, hidden under a small hatch. After connecting a serial cable and powering it up, the researcher saw a typical Linux boot log.
The system uses a 3.6 kernel built with Buildroot in early 2023, featuring BusyBox utilities and uClibc libraries. A login prompt shows up on the serial console after booting.
Entering “root” at the prompt grants immediate access to a full root shell. No password barrier, no encryption just one word.
Once inside, an attacker could install malware, capture transaction data, or pivot into back-end networks.
Physically, the Yomani XR is impressively engineered. The terminal uses a custom dual-core Arm ASIC (“Samoa II”), multiple tightly compressed PCBs, and extensive tamper detection features.
Pressure-sensitive zebra strips and zig-zag copper traces on each board detect unauthorized disassembly by breaking circuits.
A coin-cell battery ensures tamper protection remains active even when power is removed. Exposed wiring or drilling into the PCB would trigger an irreversible red screen, rendering the terminal inoperable.
Yet these hardware safeguards do not cover the debug interface. The reveal of an unsecured serial port undermines the design’s overall security goals.
Further firmware analysis shows the terminal actually runs two separate processing environments.
The first core boots an “insecure” Linux application that handles network communication and general business logic.
This core is responsible for loading a second, “secure” firmware image onto a dedicated processor that manages the card reader, keypad, and display.
That secure image is encrypted and signed, and only runs if tamper protections are intact. As a result, even if attackers access the Linux shell, they cannot directly manipulate card handling without breaching the secure core.
However, compromise of the application core still poses significant risk. Attackers could disrupt updates, log network traffic, or install backdoors to later target the secure processor.
While no public evidence exists of stolen card data through this route, the exposure of an unprotected root shell remains a critical oversight.
Merchants relying on these terminals should inspect devices for unauthorized access hatches and ask vendors for firmware updates that disable the external debug port.
Worldline has been notified and reportedly fixed the issue in later firmware releases. Until those updates are widely deployed, terminal operators face an unnecessary risk hidden beneath robust hardware defenses.
