Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems.
AnalysisAI
Unauthenticated denial of service in Suprema BioStar 2 Server versions 2.9.8, 2.9.10, and 2.9.11 allows remote attackers to halt critical processes by sending HTTP POST requests to the '/api/migration' endpoint, taking access control readers offline until manual service or server restart. No public exploit identified at time of analysis, though SSVC flags the attack as automatable with partial technical impact. Because BioStar 2 governs physical access control, the outage cascades to door readers and downstream third-party integrations, elevating real-world impact beyond a typical web-app DoS.
Technical ContextAI
BioStar 2 is Suprema's web-based physical access control platform that manages biometric and card readers, door controllers, and integrations across distributed sites. The vulnerable component is the server's REST API surface, specifically the '/api/migration' endpoint, which appears to be reachable without authentication and lacks robust exception handling. CWE-248 (Uncaught Exception) indicates the root cause is an unhandled error path in the migration handler: a malformed or unexpected POST payload propagates an exception that terminates or deadlocks a critical worker thread or service, rather than being caught and returned as an HTTP error. The CPE 'cpe:2.3:a:suprema:biostar_2_(server)' confirms the server-side application is the affected component, not the client or device firmware.
RemediationAI
Patch available per vendor advisory - upgrade BioStar 2 Server to the fixed release identified in the INCIBE-CERT notice at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar and the corresponding Suprema advisory it links to (no exact post-2.9.11 fix version is independently confirmed in the supplied data, so verify the target version with Suprema before upgrading). Until patching is possible, restrict network reachability of the BioStar 2 Server's HTTP API to a management VLAN or VPN and block external access to '/api/migration' at a reverse proxy or WAF, accepting that this breaks legitimate migration workflows and any remote administration over the public interface. As an operational compensating control, configure monitoring to auto-restart the BioStar 2 services on failure and review reader fail-safe versus fail-secure settings so a server outage does not leave doors in an unintended state.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33283
GHSA-4ccp-5qcj-7f48