Wincor PORT Driver CVE-2025-5555
HIGHSeverity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in Nixdorf Wincor PORT IO Driver up to 1.0.0.1. This affects the function sub_11100 in the library wnport.sys of the component IOCTL Handler. Such manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0.1 is able to mitigate this issue. Upgrading the affected component is recommended. The vendor was contacted beforehand and was able to provide a patch very early.
AnalysisAI
Stack-based buffer overflow in Wincor Nixdorf PORT IO Driver versions up to 1.0.0.1 allows local authenticated attackers with low privileges to achieve arbitrary code execution with kernel-level permissions. The vulnerability exists in the sub_11100 function of the wnport.sys kernel driver's IOCTL handler. Public exploit code is available (CVSS E:P). Vendor has released version 3.0.0.1 to address this issue. EPSS data not available, not listed in CISA KEV, suggesting targeted rather than widespread exploitation despite public POC.
Technical ContextAI
This vulnerability affects the wnport.sys kernel-mode driver component of Diebold Nixdorf's (formerly Wincor Nixdorf) PORT IO Driver, a low-level Windows device driver used for hardware I/O operations in point-of-sale and banking systems. The flaw resides in the IOCTL (Input/Output Control) handler's sub_11100 function, which processes user-mode requests to kernel-mode services. CWE-119 (improper memory buffer restrictions) indicates insufficient bounds checking when copying user-supplied data to a stack-allocated buffer. In Windows kernel drivers, IOCTL handlers are common attack surfaces because they accept arbitrary data from userland. A stack-based buffer overflow in kernel space allows overwriting return addresses or function pointers, leading to arbitrary code execution at SYSTEM/kernel privilege level (ring 0). The AV:L vector confirms this requires local access to send malicious IOCTL codes to the driver, typically via DeviceIoControl API calls.
Affected ProductsAI
Diebold Nixdorf PORT IO Driver (formerly Wincor Nixdorf PORT IO Driver) versions 1.0.0.1 and earlier, specifically the wnport.sys kernel driver component. This driver is deployed on Windows-based point-of-sale terminals, ATMs, and retail banking hardware manufactured by Diebold Nixdorf. Vendor advisory and patch available at https://download.dieboldnixdorf.com/ (requires vendor portal access). All versions prior to the patched 3.0.0.1 release should be considered vulnerable.
RemediationAI
Upgrade to Wincor Nixdorf PORT IO Driver version 3.0.0.1 or later, available from https://download.dieboldnixdorf.com/ (vendor portal may require authentication). The vendor was notified pre-disclosure and released this patch version specifically to address CVE-2025-5555. Before deployment, test the upgraded driver in a non-production environment as the version jump (1.x to 3.x) may indicate architectural changes affecting hardware compatibility. If immediate patching is not feasible, implement compensating controls: restrict local administrator access to affected systems through least-privilege policies and monitor for unusual DeviceIoControl calls to wnport.sys via Windows Security Event Log (Event ID 4656/4663 for kernel object access) or EDR tools. Note that disabling the driver may break POS/ATM hardware functionality, making this unsuitable for production systems. Segment affected devices on isolated network VLANs to reduce lateral movement risk if local compromise occurs. These mitigations reduce but do not eliminate risk since the vulnerability is in kernel code.
Same weakness CWE-119 – Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today