Nine Security Flaws Found in ATM Encryption Software, and Nobody Agrees How Bad It Is
A researcher found serious bugs in software that locks ATM hard drives. The world's biggest ATM maker says they don't matter. The researcher disagrees. The truth is somewhere uncomfortable.

Key points
- Security researcher Matt Burch publicly disclosed nine vulnerabilities in CryptoPro Secure Disk, full-disk encryption software used on ATMs and corporate Windows computers, ahead of a presentation at Black Hat USA 2026.
- Diebold Nixdorf, the world's largest ATM manufacturer, confirmed in 2025 that two of the nine flaws are "theoretically applicable" to its own ATM security software and quietly issued a fix in December 2025.
- More than 700 ATM jackpotting attacks (where criminals force a machine to spit out cash) were reported to the FBI in 2025 alone, stealing more than $20 million.
- CryptoPro's vendor claims more than 500,000 software licences sold across 20 industries, meaning the flaws could matter well beyond ATMs.
- Diebold declined to fully explain how it uses CryptoPro, leaving the real-world impact of the remaining seven vulnerabilities unresolved.
ATMs are basically two machines bolted together. The heavy steel bottom is the vault. The lighter top section is a regular Windows PC that talks to your bank and tells the machine how much cash to push out. That top half, security researcher Matt Burch points out, is often made of cheaper steel or even plastic, and its lock is operated by a simple cable you can reach through a gap with the right tool.
Once someone physically opens that top section, they can plug in malicious software, called malware, that targets the part of the ATM's software responsible for dispensing cash. That attack technique, nicknamed "jackpotting," has been a growing problem in the United States since 2017.
Burch's new research adds a software angle to that physical threat.
Could criminals actually use these bugs to steal cash?
Possibly, yes, though the full answer depends on which software an ATM is actually running. Burch found nine vulnerabilities in a program called CryptoPro Secure Disk, which is designed to encrypt (scramble and lock) the hard drive of a Windows computer so that nobody can read the contents without the right password. He found that under certain conditions the software would fail to encrypt properly, effectively leaving the door unlocked. He also found that the secret keys used to scramble the drive were stored right next to the data they were supposed to protect, which is roughly equivalent to taping a house key to the front door.
Combined, those weaknesses let Burch get his own code running on a test ATM, unlock the drive, and then execute a standard jackpotting attack to force the machine to dispense cash.
Diebold Nixdorf, whose Vynamic Security Suite is the security software used on the company's ATMs, told Dark Reading it disagrees with the severity of Burch's findings. A Diebold spokesperson said the vulnerabilities "pose little to no additional risk" in a real-world environment. But the same spokesperson acknowledged that two of the nine flaws are "theoretically applicable" to Diebold's own hard-drive encryption component. Diebold appears to have patched those two issues in December 2025 without a public announcement. The company declined to explain exactly how it uses CryptoPro inside its products.
That silence is the part that should bother you.
CryptoPro is not only an ATM product. The vendor claims more than 500,000 licences across five continents and 20 industries. Any organisation running Windows computers with CryptoPro Secure Disk installed should check with their IT team whether a patch is available. The failure mode here is a familiar one: encryption software that stores its own keys on the same disk it is supposed to protect is not really protecting anything.
Burch puts it plainly. If you hand someone a lockbox and leave the key sitting right beside it, the lock is theatre.
For ordinary bank customers, there is no action needed today. ATM jackpotting targets the machine itself, not customer accounts or card data. If your card ever behaves strangely at an ATM or you see an unfamiliar person crouching near the top panel of a machine, report it to the bank staff immediately.
Operational takeaway: If your organisation uses disk encryption on any Windows fleet, verify that the encryption keys are stored separately from the data they protect, ideally in a hardware security module, not on the same drive.



