Skip to main content

Wincor PORT Driver CVE-2025-5555

HIGH
Buffer Overflow (CWE-119)
2025-10-18 cna@vuldb.com
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:15 vuln.today

DescriptionCVE.org

A vulnerability has been found in Nixdorf Wincor PORT IO Driver up to 1.0.0.1. This affects the function sub_11100 in the library wnport.sys of the component IOCTL Handler. Such manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0.1 is able to mitigate this issue. Upgrading the affected component is recommended. The vendor was contacted beforehand and was able to provide a patch very early.

AnalysisAI

Stack-based buffer overflow in Wincor Nixdorf PORT IO Driver versions up to 1.0.0.1 allows local authenticated attackers with low privileges to achieve arbitrary code execution with kernel-level permissions. The vulnerability exists in the sub_11100 function of the wnport.sys kernel driver's IOCTL handler. Public exploit code is available (CVSS E:P). Vendor has released version 3.0.0.1 to address this issue. EPSS data not available, not listed in CISA KEV, suggesting targeted rather than widespread exploitation despite public POC.

Technical ContextAI

This vulnerability affects the wnport.sys kernel-mode driver component of Diebold Nixdorf's (formerly Wincor Nixdorf) PORT IO Driver, a low-level Windows device driver used for hardware I/O operations in point-of-sale and banking systems. The flaw resides in the IOCTL (Input/Output Control) handler's sub_11100 function, which processes user-mode requests to kernel-mode services. CWE-119 (improper memory buffer restrictions) indicates insufficient bounds checking when copying user-supplied data to a stack-allocated buffer. In Windows kernel drivers, IOCTL handlers are common attack surfaces because they accept arbitrary data from userland. A stack-based buffer overflow in kernel space allows overwriting return addresses or function pointers, leading to arbitrary code execution at SYSTEM/kernel privilege level (ring 0). The AV:L vector confirms this requires local access to send malicious IOCTL codes to the driver, typically via DeviceIoControl API calls.

Affected ProductsAI

Diebold Nixdorf PORT IO Driver (formerly Wincor Nixdorf PORT IO Driver) versions 1.0.0.1 and earlier, specifically the wnport.sys kernel driver component. This driver is deployed on Windows-based point-of-sale terminals, ATMs, and retail banking hardware manufactured by Diebold Nixdorf. Vendor advisory and patch available at https://download.dieboldnixdorf.com/ (requires vendor portal access). All versions prior to the patched 3.0.0.1 release should be considered vulnerable.

RemediationAI

Upgrade to Wincor Nixdorf PORT IO Driver version 3.0.0.1 or later, available from https://download.dieboldnixdorf.com/ (vendor portal may require authentication). The vendor was notified pre-disclosure and released this patch version specifically to address CVE-2025-5555. Before deployment, test the upgraded driver in a non-production environment as the version jump (1.x to 3.x) may indicate architectural changes affecting hardware compatibility. If immediate patching is not feasible, implement compensating controls: restrict local administrator access to affected systems through least-privilege policies and monitor for unusual DeviceIoControl calls to wnport.sys via Windows Security Event Log (Event ID 4656/4663 for kernel object access) or EDR tools. Note that disabling the driver may break POS/ATM hardware functionality, making this unsuitable for production systems. Segment affected devices on isolated network VLANs to reduce lateral movement risk if local compromise occurs. These mitigations reduce but do not eliminate risk since the vulnerability is in kernel code.

Share

CVE-2025-5555 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy