Patches for KioSoft vulnerability drawn out, report finds

SecurityWeek reports that major U.S. payment solutions provider KioSoft was noted to have delayed addressing a vulnerability impacting certain MiFare NFC-based stored value cards for more than a year. Despite being informed about the flaw in October 2023, KioSoft only issued patches this summer, with the firm only becoming active in fixing the issue upon the involvement of the CERT Coordination Center, according to a report from cybersecurity consulting company SEC Consult. Attackers could leverage the bug, tracked as CVE-2025-8699, to enable free balance top-ups, with SEC Consult's Johannes Greil detailing a potential intrusion increasing card balances to up to $655 before repeating the process. Such an attack is possible with the utilization of the RFID security analysis tool Proxmark, as well as awareness of MiFare's other security defects, said SEC Consult, which noted KioSoft's refusal to provide more details regarding impacted and fixed software versions.