External risk intelligence

Ecommerce Systempay 1.0 could allow external attackers to manipulate payment transaction amounts.

Ecommerce Systempay could allow external attackers to forge payment signatures and manipulate transaction amounts. This potentially exposes your financial transaction processing and sensitive payment data to compromise.

NVD published May 13, 2026 (2 days ago)

External risk briefCRITICAL

CVE-2020-37168

Halo Surface Signal

5/ 5

The vulnerability affects an e-commerce payment module designed to process online transactions. These components function as public-facing web or API endpoints that must be reachable from the internet to receive payment requests from customers, making the vulnerable interface public by design in all standard deployments.

Exposure facts

CVSS

9.3

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS

0.04%

H – Horizon Alert

The Ecommerce Systempay platform contains a weakness in its cryptographic implementation that allows unauthorized parties to determine the production secret key through brute-force methods. Because this key is essential for validating payments, its compromise enables attackers to forge payment signatures and alter transaction amounts. This vulnerability poses a direct risk to the integrity of financial data, potentially allowing for the unauthorized modification of transaction values.

A – Asset Exposure

The Ecommerce Systempay payment module utilized within online storefronts is affected by this cryptographic vulnerability. As this component is responsible for processing online payments, the associated endpoint is inherently internet-facing to receive transaction requests from customers. If successfully accessed by unauthorized parties, this could allow for the forgery of valid payment signatures and the manipulation of transaction amounts submitted through the checkout process. Consequently, the integrity of your financial transaction processing and the security of sensitive payment data may be at risk.

L – Live Threat

We are monitoring a vulnerability involving a weak cryptographic implementation that could allow unauthorized parties to brute force production secret keys used for payment signatures. Public exploit code is available for this issue, which may facilitate attempts to manipulate transaction data. However, the available context does not indicate evidence of active exploitation or specific targeting in the wild at this time.

O – Operational Fix

Please review your current Ecommerce Systempay integration against the latest official vendor documentation to ensure cryptographic implementations align with current security standards. We recommend prioritizing a thorough assessment of your payment signature generation processes to confirm they are configured according to vendor best practices. If you have questions regarding your specific setup, please coordinate directly with the vendor for official guidance and support.