Skip to main content

Suprema BioStar 2 CVE-2026-9509

| EUVDEUVD-2026-33283 HIGH
Uncaught Exception (CWE-248)
2026-05-29 INCIBE GHSA-4ccp-5qcj-7f48
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Analysis Generated
May 29, 2026 - 15:31 vuln.today
CVSS changed
May 29, 2026 - 13:22 NVD
8.7 (HIGH)
CVE Published
May 29, 2026 - 12:11 nvd
UNKNOWN (no severity yet)
CVE Published
May 29, 2026 - 12:11 nvd
HIGH 8.7

DescriptionCVE.org

An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems.

AnalysisAI

Unauthenticated denial of service in Suprema BioStar 2 Server versions 2.9.8, 2.9.10, and 2.9.11 allows remote attackers to halt critical processes by sending HTTP POST requests to the '/api/migration' endpoint, taking access control readers offline until manual service or server restart. No public exploit identified at time of analysis, though SSVC flags the attack as automatable with partial technical impact. Because BioStar 2 governs physical access control, the outage cascades to door readers and downstream third-party integrations, elevating real-world impact beyond a typical web-app DoS.

Technical ContextAI

BioStar 2 is Suprema's web-based physical access control platform that manages biometric and card readers, door controllers, and integrations across distributed sites. The vulnerable component is the server's REST API surface, specifically the '/api/migration' endpoint, which appears to be reachable without authentication and lacks robust exception handling. CWE-248 (Uncaught Exception) indicates the root cause is an unhandled error path in the migration handler: a malformed or unexpected POST payload propagates an exception that terminates or deadlocks a critical worker thread or service, rather than being caught and returned as an HTTP error. The CPE 'cpe:2.3:a:suprema:biostar_2_(server)' confirms the server-side application is the affected component, not the client or device firmware.

RemediationAI

Patch available per vendor advisory - upgrade BioStar 2 Server to the fixed release identified in the INCIBE-CERT notice at https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostar and the corresponding Suprema advisory it links to (no exact post-2.9.11 fix version is independently confirmed in the supplied data, so verify the target version with Suprema before upgrading). Until patching is possible, restrict network reachability of the BioStar 2 Server's HTTP API to a management VLAN or VPN and block external access to '/api/migration' at a reverse proxy or WAF, accepting that this breaks legitimate migration workflows and any remote administration over the public interface. As an operational compensating control, configure monitoring to auto-restart the BioStar 2 services on failure and review reader fail-safe versus fail-secure settings so a server outage does not leave doors in an unintended state.

Share

CVE-2026-9509 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy