Google and Mozilla this week released Chrome and Firefox browser updates that address multiple high-severity vulnerabilities.

Google promoted Chrome 141 to the stable channel with 21 security fixes, including 12 for security defects reported by external researchers, who earned a total of $50,000 for their findings.

Two of the externally reported bugs, tracked as CVE-2025-11205 and CVE-2025-11206, are high-severity heap buffer overflow issues impacting Chrome’s WebGPU and Video components.

Google says it handed out a $25,000 bug bounty reward for the WebGPU flaw, which was reported by Atte Kettunen of OUSPG in early September.

Chrome 141 also resolves eight medium-severity vulnerabilities, including side-channel information leakage issues in Storage and Tab, inappropriate implementation bugs in Media and Omnibox, an out-of-bounds read flaw in Media, and an off-by-one error in the V8 JavaScript engine.

The remaining two security holes reported by external researchers are low-severity issues affecting Chrome’s Storage component and the V8 engine.

The latest Chrome iteration is rolling out as version 141.0.7390.54 for Linux and as versions 141.0.7390.54/55 for Windows and macOS. The patches were also included in Chrome 141.0.7390.43 for Android.

Mozilla released Firefox 143.0.3 this week with fixes for two high-severity defects in the Graphics and JavaScript Engine components.

The Graphics flaw, tracked as CVE-2025-11152, is an integer overflow issue that could lead to sandbox escape. The JavaScript Engine weakness, tracked as CVE-2025-11153, is described as a JIT miscompilation.

Neither Google nor Mozilla mention any of these vulnerabilities being exploited in the wild, but users are advised to update their browsers as soon as possible.

Related: Chrome 140 Update Patches Sixth Zero-Day of 2025

Related: OpenSSL Vulnerabilities Allow Private Key Recovery, Code Execution, DoS Attacks

Related: AMTSO Releases Sandbox Evaluation Framework

Related: Security is Everywhere. Can Your Services Keep Up?

https://www.securityweek.com/chrome-141-and-firefox-143-patches-fix-high-severity-vulnerabilities/

The OpenSSL Project has announced the availability of several new versions of the open source SSL/TLS toolkit, which include patches for three vulnerabilities.

Versions 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm and 1.1.1zd of the OpenSSL Library have been released. Most of them fix all three vulnerabilities, tracked as CVE-2025-9230, CVE-2025-9231 and CVE-2025-9232.

Two of the vulnerabilities have been assigned a ‘moderate severity’ rating. One of them is CVE-2025-9231, which may allow an attacker to recover the private key. 

OpenSSL is used by many applications, websites and services for securing communications and an attacker who can obtain a private key may be able to decrypt encrypted traffic or conduct a man-in-the-middle (MitM) attack. 

However, OpenSSL developers pointed out that only the SM2 algorithm implementation on 64-bit ARM platforms is impacted.

“OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts,” the developers explained. “However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue.”

CVE-2025-9230, described as an out-of-bound read/write issue that can be exploited for arbitrary code execution or DoS attacks, has also been assigned a ‘moderate severity’ rating.

“Although the consequences of a successful exploit of this vulnerability could be severe, the probability that the attacker would be able to perform it is low,” the OpenSSL Project’s security advisory explains. 

The third vulnerability is ‘low severity’ and it can be exploited to trigger a crash that can result in a DoS condition. 

The security of OpenSSL has evolved a great deal since the discovery of the notorious Heartbleed vulnerability. 

While some flaws have still made headlines, the number and severity of vulnerabilities found in OpenSSL in recent years has been low. Only three other issues have been resolved to date in 2025 and only one has a ‘high severity’ rating. 

The high-severity issue was discovered by Apple researchers and it can allow MitM attacks. 

Related: Broadcom Fails to Disclose Zero-Day Exploitation of VMware Vulnerability

Related: Organizations Warned of Exploited Sudo Vulnerability

Related: Recent Fortra GoAnywhere MFT Vulnerability Exploited as Zero-Day

https://www.securityweek.com/openssl-vulnerabilities-allow-private-key-recovery-code-execution-dos-attacks/

A newly patched high-severity VMware vulnerability has been exploited as a zero-day since October 2024 for code execution with elevated privileges, NVISO Labs reports.

Tracked as CVE-2025-41244 (CVSS score of 7.8), the security defect impacts both VMware Aria Operations and VMware Tools.

VMware’s parent company Broadcom rolled out patches this week, warning that the flaw allows attackers to escalate their privileges to root on VMs that have VMware Tools installed and are managed by Aria Operations with SDMP enabled, but made no mention of its in-the-wild exploitation.

The company’s public advisories typically warn customers if zero-day exploitation has been detected. 

According to NVISO, which was credited for the find, a Chinese state-sponsored threat actor tracked as UNC5174 has been exploiting the bug for a year. UNC5174 was recently linked to an attack on cybersecurity firm SentinelOne.  

“We can however not assess whether this exploit was part of UNC5174’s capabilities or whether the zero-day’s usage was merely accidental due to its trivialness,” NVISO notes.

The vulnerability impacts VMware Aria Operations’ service and application discovery feature, which includes both legacy credential-based service discovery (in which VMware Tools acts as a proxy for the operation) and credential-less service discovery (metrics collection implemented in VMware Tools).

“As part of its discovery, NVISO was able to confirm the privilege escalation affects both modes, with the logic flaw hence being respectively located within VMware Aria Operations (in credential-based mode) and the VMware Tools (in credential-less mode),” NVISO explains.

Noting that successful exploitation of CVE-2025-41244 allows unprivileged users to execute code with root privileges, NVISO warns that the open source variant of VMware Tools, namely open-vm-tools, which is included in major Linux distributions, is also impacted.

Open-vm-tools’ discovery function, NVISO says, calls a function that takes as argument a regular expression pattern that checks it to match supported service binaries.

However, because the function uses the broad‑matching \S character class in several regex patterns, it also matches non-system binaries located in directories writable to non-privileged users.

Thus, an attacker can abuse a vulnerable open-vm-tools iteration by staging a malicious binary in a broadly-matched regular expression path, and it will be elevated for version discovery.

UNC5174, NVISO notes, has been exploiting the security weakness by placing malicious binaries in the /tmp/httpd folder. To be elevated, the binaries are executed with low privileges and open a random listening socket.

Broadcom fixed the flaw in fresh releases of VMware Cloud Foundation, vSphere Foundation, Aria Operations, Telco Cloud Platform, and VMware Tools, and noted that fixes for open-vm-tools will be distributed by Linux vendors.

To detect CVE-2025-41244’s exploitation, organizations should look for uncommon child processes. In environments without monitoring, analysis of lingering metrics collector scripts and outputs in legacy credential-based mode should confirm the exploitation.

“The broad practice of mimicking system binaries (e.g., httpd) highlights the real possibility that several other malware strains have accidentally been benefiting from unintended privilege escalations for years,” NVISO says, noting that the bug could easily be found in the open-vm-tools source code by threat actors.

Related: Call for Presentations Open for 2025 CISO Forum Virtual Summit

Related: Google Patches Gemini AI Hacks Involving Poisoned Logs, Search Results

Related: Apple Updates iOS and macOS to Prevent Malicious Font Attacks

Related: Organizations Warned of Exploited Sudo Vulnerability

https://www.securityweek.com/broadcom-fails-to-disclose-zero-day-exploitation-of-vmware-vulnerability/

Broadcom on Monday announced patches for six vulnerabilities affecting VMware Aria Operations, NSX, vCenter, and VMware Tools products, including four high-severity flaws.

Both Aria Operations and VMware Tools are impacted by a high-severity local privilege escalation bug tracked as CVE-2025-41244.

“A malicious local actor with non-administrative privileges having access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled may exploit this vulnerability to escalate privileges to root on the same VM,” the vendor explains.

Patches have also been rolled out for a medium-severity issue in VMware Aria Operations that could allow attackers to disclose the credentials of other users (CVE-2025-41245), and a high-severity defect in Tools for Windows that could allow attackers to access other guest VMs (CVE-2025-41246).

Fixes for these vulnerabilities were included in Aria Operations version 8.18.5, Cloud Foundation and vSphere Foundation versions 9.0.1.0 and 13.0.5.0, VMware Tools versions 13.0.5 and 12.5.4, and Telco Cloud Infrastructure versions 8.18.5 and 8.18.5.

VMware resolved a high-severity SMTP header injection bug (CVE-2025-41250) in vCenter that could allow an authenticated attacker with non-administrative privileges to “manipulate the notification emails sent for scheduled tasks”.

Additionally, it patched two high-severity flaws in NSX that could allow attackers to enumerate valid usernames.

The first, CVE-2025-41251, is described as a weak password recovery mechanism issue that could lead to brute-force attacks, while the second, CVE-2025-41252, is described as a username enumeration defect that could lead to unauthorized access attempts.

Cloud Foundation and vSphere Foundation version 9.0.1.0, vCenter versions 8.0 U3g and 7.0 U3w, Cloud Foundation versions 5.2.2 and 7.0 U3w (async patch), NSX versions 4.2.2.2, 4.2.3.1, and 4.1.2.7, and NSX-T version 3.2.4.3 contain fixes for these flaws. VMware also published patch instructions for Cloud Foundation and Telco Cloud Infrastructure.

VMware makes no mention of any of these vulnerabilities being exploited in the wild. However, users are advised to update their deployments as soon as possible.

Related: Apple Updates iOS and macOS to Prevent Malicious Font Attacks

Related: Organizations Warned of Exploited Sudo Vulnerability

Related: No Patches for Vulnerabilities Allowing Cognex Industrial Camera Hacking

Related: Cybersecurity Courses Ramp Up Amid Shortage of Professionals

https://www.securityweek.com/high-severity-vulnerabilities-patched-in-vmware-aria-operations-nsx-vcenter/

Exploitation of a recently disclosed Fortra GoAnywhere MFT vulnerability started at least one week before patches were released, cybersecurity firm watchTowr reports.

Fortra fixed the security defect, tracked as CVE-2025-10035 (CVSS score of 10/10), on September 18, making no mention of its in-the-wild exploitation, but sharing indicators-of-compromise (IoCs) to help organizations hunt for potential attacks.

The flaw is described as a deserialization vulnerability in the secure file transfer application’s license servlet, which could allow an attacker with a forged license response signature to deserialize a crafted object and achieve command injection.

“Immediately ensure that access to the GoAnywhere Admin Console is not open to the public. Exploitation of this vulnerability is highly dependent upon systems being externally exposed to the internet,” Fortra warned.

According to watchTowr, Fortra was eight days late with its patches for CVE-2025-10035, as the issue had been exploited as a zero-day when discovered on September 11.

“We have been given credible evidence of in-the-wild exploitation of Fortra GoAnywhere CVE-2025-10035 dating back to September 10, 2025. That is eight days before Fortra’s public advisory,” watchTowr notes.

As part of the observed attacks, hackers triggered the vulnerability for remote code execution (RCE), without authentication, to create a backdoor admin account on vulnerable instances.

Then, they leveraged the account to create a web user that provided them with access to the MFT service, and used it to upload and execute various additional payloads.

In a technical analysis of the CVE, watchTowr pointed out that there are over 20,000 GoAnywhere MFT instances accessible from the internet, including deployments pertaining to Fortune 500 companies.

Cybersecurity outfit Rapid7, which performed its own in-depth analysis of the security defect, explains that it is not a simple deserialization issue, but a chain of three separate bugs.

“This includes an access control bypass that has been known since 2023, the unsafe deserialization vulnerability CVE-2025-10035, and an as-yet unknown issue pertaining to how the attackers can know a specific private key,” Rapid7 explains.

The company flagged the access control bypass in February 2023, when Fortra patched a pre-authentication remote code execution bug in GoAnywhere MFT that had been exploited as a zero-day.

Both watchTowr and Rapid7 underline that they could not find the private key ‘serverkey1’ required to forge the license response signature, which is required for the successful exploitation of CVE-2025-10035.

The two companies note that the security defect’s exploitation is possible if the private key was leaked and attackers got hold of it, if the attackers trick a license server into signing the malicious signature, or the attackers have access to serverkey1 by unknown means.

Related: Cisco Firewall Zero-Days Exploited in China-Linked ArcaneDoor Attacks

Related: Chinese Cyberspies Hacked US Defense Contractors

Related: GeoServer Flaw Exploited in US Federal Agency Hack

Related: ChamelGang Hackers Target Energy, Aviation, and Government Sectors

https://www.securityweek.com/recent-fortra-goanywhere-mft-vulnerability-exploited-as-zero-day/

Cisco on Thursday released emergency patches for two firewall vulnerabilities exploited as zero-days in attacks linked to the ArcaneDoor espionage campaign.

Tracked as CVE-2025-20333 (CVSS score of 9.9) and CVE-2025-20362 (CVSS score of 6.5), the bugs impact the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Secure Firewall Threat Defense (FTD) software.

The issues, Cisco explains, exist because user-supplied input in HTTP(S) requests is not properly validated, allowing a remote attacker to send crafted requests and execute arbitrary code with root privileges or access a restricted URL without authentication.

The attacker needs valid VPN user credentials to exploit the critical-severity defect, but can exploit the medium-severity one without authentication.

Both vulnerabilities, Cisco notes in a fresh alert, were discovered after it was called in May 2025 to assist with investigating attacks targeting government organizations, in which ASA 5500-X series devices with VPN web services enabled were compromised.

As part of the attacks, which Cisco linked to the ArcaneDoor espionage campaign flagged last year, the zero-days allowed hackers to deploy malware, run commands, and likely exfiltrate data from the compromised devices.

“Attackers were observed to have exploited multiple zero-day vulnerabilities and employed advanced evasion techniques such as disabling logging, intercepting CLI commands, and intentionally crashing devices to prevent diagnostic analysis,” Cisco explains.

While it has yet to be confirmed by the wider cybersecurity community, there is some evidence suggesting that the hackers behind the ArcaneDoor campaign are based in China. 

The threat actor was seen tampering with the devices’ read-only memory (ROM) to ensure persistence across reboots and software updates. These modifications were possible because the compromised devices do not support Secure Boot and Trust Anchor.

According to Cisco, the hackers successfully compromised 5512-X, 5515-X, and 5585-X devices, which have been discontinued, as well as 5525-X, 5545-X, and 5555-X models, which will be discontinued on September 30, 2025.

The vulnerable ASA software runs on ASA 5505-X, 5506H-X, 5506W-X, 5508-X, and 5516-X devices, and on all Firepower and Secure Firewall models, but these products support Secure Boot and Trust Anchors and Cisco has not observed their successful compromise.

Users are advised to update their devices as soon as possible, as the fixed release will automatically check the ROM and remove the attackers’ persistence mechanism. Users are also advised to rotate all passwords, certificates, and keys following the update.

“In cases of suspected or confirmed compromise on any Cisco firewall device, all configuration elements of the device should be considered untrusted,” Cisco notes. The company also released a detection guide to help organizations hunt for potential compromise associated with the ArcaneDoor campaign.

The UK’s National Cyber Security Centre (NCSC) published a technical analysis (PDF) of the malware identified in the observed attacks, recommending that the vulnerable ASA 5500-X series models that have been or will soon be discontinued be replaced as soon as possible.

“The NCSC is calling on network defenders using affected products to urgently investigate this activity and has published new analysis of the malware components – dubbed RayInitiator and LINE VIPER – to assist with detection and mitigation,” NCSC notes.

On Thursday, the US cybersecurity agency CISA added both CVE-2025-20333 and CVE-2025-20362 to its Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to address them within one day.

CISA also issued Emergency Directive ED 25-03, mandating that federal agencies identify all Cisco ASA and Firepower devices in their environments, collect memory files, and send them to CISA for forensic analysis by the end of the day on September 26.

“CISA is directing agencies to account for all Cisco ASA and Firepower devices, collect forensics and assess compromise via CISA-provided procedures and tools, disconnect end-of-support devices, and upgrade devices that will remain in service. These actions are directed to address the immediate risk, assess compromise, and inform analysis of the ongoing threat actor campaign,” CISA notes.

On Thursday, Cisco also released patches for CVE-2025-20363 (CVSS score of 9.0), a remote code execution bug that can be exploited without authentication on devices running ASA and FTD software, but requires authentication on products running IOS, IOS XE, and IOS XR software.

“An attacker could exploit this vulnerability by sending crafted HTTP requests to a targeted web service on an affected device after obtaining additional information about the system, overcoming exploit mitigations, or both. A successful exploit could allow the attacker to execute arbitrary code as root, which may lead to the complete compromise of the affected device,” the company notes.

CVE-2025-20363 does not appear to have been exploited in the wild, although Cisco mentions it in the alert detailing the observed compromise.

Related: Cisco Patches Zero-Day Flaw Affecting Routers and Switches

Related: Cisco Patches High-Severity IOS XR Vulnerabilities

Related: Chinese Hackers Lurked Nearly 400 Days in Networks With Stealthy BrickStorm Malware

Related: Bridging the Gap Between Training and Behavior

https://www.securityweek.com/cisco-firewall-zero-days-exploited-in-china-linked-arcanedoor-attacks/

The US cybersecurity agency CISA has shared details on the exploitation of a year-old GeoServer vulnerability to compromise a federal civilian executive branch (FCEB) agency.

The exploited bug, tracked as CVE-2024-36401 (CVSS score of 9.8) and leading to remote code execution (RCE), was disclosed on June 30, 2024, two weeks before CISA added it to the KEV catalog.

On July 11, 2024, four days before CISA’s alert, a threat actor exploited the bug to gain access to a GeoServer instance pertaining to the victim agency, then moved laterally to a web server and to an SQL server.

“On each server, they uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation. The cyber threat actors also used living-off-the-land (LOTL) techniques,” CISA explains in a fresh report.

On July 24, ten days after the bug was added to the KEV list, the threat actor exploited the same vulnerability in another GeoServer instance belonging to the same agency.

The attackers dropped web shells and created cron jobs and user accounts to maintain persistence, and then attempted to escalate privileges, including by exploiting the Dirty COW vulnerability in the Linux kernel.

“After compromising web service accounts, they escalated their local privileges to transition away from these service accounts (it is unknown how they escalated privileges),” CISA explains.

The threat actor also used brute force attacks to obtain passwords allowing it to move laterally and elevate privileges, performed reconnaissance using readily available tools, downloaded payloads using PowerShell, and deployed the Stowaway multi-level proxy tool for command-and-control (C&C).

“The cyber threat actors remained undetected in the organization’s environment for three weeks before the organization’s SOC identified the compromise using their EDR tool,” CISA notes.

According to the cybersecurity agency, the victim was within the KEV-required patching window for the GeoServer bug, but lacked procedures for bringing in third parties for assistance, did not detect the activity on July 15, 2024, when it missed an EDR alert on Stowaway, and did not have endpoint protection implemented on the web server.

While CISA has not attributed the attack to a specific threat actor, the China Chopper web shell is typically used in attacks by China-linked threat actors such as APT41 (Brass Typhoon), Gallium (Granite Typhoon), and Hafnium (Silk Typhoon).

Believed to have orchestrated last year’s US Treasury hack, Silk Typhoon is known for targeting critical infrastructure organizations worldwide, and for hacking multiple industries in North America.

“China Chopper has been around for over a decade, and it’s the same web shell used in the 2021 Exchange attacks. The real issue is that attackers chained a well-known exploit, moved laterally, and remained inside the network for nearly three weeks before anyone noticed, even with EDR deployed. That’s the modern danger we’re dealing with. It’s not exotic zero-days, but gaps that go unpatched and undetected until it’s too late,” Tuskira CEO and co-founder Piyush Sharma said.

Related: All Microsoft Entra Tenants Were Exposed to Silent Compromise via Invisible Actor Tokens: Researcher

Related: SonicWall Updates SMA 100 Appliances to Remove Overstep Malware

Related: Sesame Workshop Regains Control of Elmo’s Hacked X Account After Racist Posts

Related: How Do You Know If You’re Ready for a Red Team Partnership?

https://www.securityweek.com/geoserver-flaw-exploited-in-us-federal-agency-hack/

Libraesva has addressed a vulnerability in its integrated email security platform that has been exploited in the wild.

Tracked as CVE-2025-59689 (CVSS score of 6.1), the flaw is described as a command injection issue that could lead to the execution of arbitrary commands as a non-privileged user.

According to Libraesva’s advisory, the bug could be exploited via malicious emails containing crafted compressed attachments.

“This occurs due to an improper sanitization during the removal of active code from files contained in some compressed archive formats,” the company explains.

The CVE is triggered with specific archive formats containing payloads that exploit an improper input sanitization bug to execute arbitrary shell commands.

The security defect affects Libraesva ESG versions 4.5 through 5.5, but fixes were released only for ESG 5.x versions, as the 4.x versions have been discontinued.

Libraesva pushed the patches to both cloud and on-premise ESG deployments and says all appliances are now running a fixed software iteration.

Customers running on-premise ESG 4.x versions are advised to manually update to a patched 5.x version as soon as possible, given that the vulnerability has been exploited.

“One confirmed incident of abuse has been identified. The threat actor is believed to be a foreign hostile state entity,” Libraesva says.

“The single‑appliance focus underscores the precision of the threat actor (believed to be a foreign hostile state) and highlights the importance of rapid, comprehensive patch deployment,” the company notes.

In addition to resolving the flaw, Libraesva’s patches scan for indicators-of-compromise (IoCs) and contain a self-assessment module that checks the patch integrity and hunts for residual threats.

An integrated solution, Libraesva ESG protects email services from phishing, BEC, and advanced threats, and is suited for all types of organizations, including small and medium-sized businesses and large enterprises.

Related: SolarWinds Makes Third Attempt at Patching Exploited Vulnerability

Related: Patch Bypassed for Supermicro Vulnerability Allowing BMC Hack

Related: Top 25 MCP Vulnerabilities Reveal How AI Agents Can Be Exploited

Related: Researchers Earn $150,000 for L1TF Exploit Leaking Data From Public Cloud

https://www.securityweek.com/libraesva-email-security-gateway-vulnerability-exploited-by-nation-state-hackers/

Some of the industrial control system (ICS) products made by Taiwan-based Novakon are affected by serious vulnerabilities, and the vendor does not appear to have released any patches. 

A subsidiary of iBASE Technology, Novakon designs and manufactures human-machine interfaces (HMIs), industrial PCs, and IIoT solutions. The company serves 18 countries across North America, Europe and Asia. Marketing materials show that 40,000 units of Novakon’s 7” HMIs have been deployed in global data centers. 

Researchers at CyberDanube, an IT/OT penetration testing and security consulting company, discovered that Novakon’s HMIs are affected by five types of vulnerabilities.

According to an advisory published by CyberDanube, the HMIs are affected by an unauthenticated buffer overflow allowing remote code execution with root privileges, a directory traversal that exposes files, and a couple of weak authentication issues that allow access to the device and applications.

The security firm’s researchers also discovered missing protection mechanisms and unnecessarily high permissions for certain processes. 

Sebastian Dietz, security researcher at CyberDanube, told SecurityWeek that the vulnerabilities can be exploited remotely without authentication.

“An unauthenticated attacker could leverage these vulnerabilities to execute high privilege code on these devices,” Dietz explained. “As HMI devices are used to interact with machines and systems (eg, PLCs, production lines) in critical infrastructure, gaining arbitrary code execution could have severe consequences.”

Dietz noted that it’s difficult to determine how many devices may be vulnerable to attacks, “as they are normally deployed in critical infrastructure and (hopefully) not directly exposed via the internet”.

CyberDanube said Novakon has been sent a report describing its findings, but the vendor did not provide any feedback and ignored a vast majority of its communication attempts. 

Novakon has not responded to SecurityWeek’s request for comment.

Related: DELMIA Factory Software Vulnerability Exploited in Attacks

Related: ICS Patch Tuesday: Rockwell Automation Leads With 8 Security Advisories

Related: Critical Flaws Patched in Rockwell FactoryTalk, Micro800, ControlLogix Products

https://www.securityweek.com/unpatched-vulnerabilities-expose-novakon-hmis-to-remote-hacking/

SEC Consult, a cybersecurity consulting firm under Eviden, says payment solutions company KioSoft took a long time to address a serious vulnerability affecting some of its NFC-based cards.

KioSoft manufactures unattended self-service payment machines, including for laundromats, arcades, vending machines, and car washes. The company is based in Florida and has offices in seven countries around the world. Its website claims it has deployed over 41,000 kiosks and 1.6 million payment terminals across 35 countries. 

SEC Consult researchers discovered back in 2023 that some of KioSoft’s stored-value cards — digital wallets that customers reload for use at specific payment terminals — are affected by a vulnerability (CVE-2025-8699) that can be exploited for free balance top-ups. The hack relies on the fact that the balance is stored locally on the card rather than a secure online database. 

The impacted cards identified by SEC Consult relied on MiFare Classic NFC card technology, which is known to have significant security issues.

Building on the known MiFare card vulnerabilities and analyzing how data is stored on the cards, SEC Consult researchers managed to read data from the card and write data on the card, enabling them to “create money out of thin air”. A hacker can increase the card’s balance to up to $655, but the process can be repeated, SEC Consult’s Johannes Greil told SecurityWeek.

An attacker can conduct an attack using a hardware tool such as the Proxmark, which is designed for RFID security analysis, research and development. The attacker also needs to have some knowledge of the MiFare card vulnerabilities to carry out a hack, Greil explained.

SEC Consult published an advisory describing its research this week. The company has made available a detailed timeline of its interaction with KioSoft, revealing that it took the vendor well over a year to release a patch.

The security firm first contacted KioSoft in October 2023, but the vendor was unresponsive until the CERT Coordination Center at the Software Engineering Institute of Carnegie Mellon University became involved. 

SEC Consult claims to have sent many requests for a status update since October 2023, with many going unanswered. The timeline shows that the vendor has requested several extensions to the disclosure deadline, and ultimately informed the security firm that a firmware patch was released in the summer of 2025. The vendor indicated that new hardware would also be rolled out in the future. 

KioSoft refused to provide version numbers of impacted and patched releases, arguing that affected customers would be privately notified, the security firm said. While KioSoft’s products are widely used, the vendor told SEC Consult that most of its solutions do not use the vulnerable MiFare card technology.

SEC Consult no longer has access to the terminals it initially conducted its research on and it could not verify the vendor’s patch. 

KioSoft has not responded to SecurityWeek’s request for comment. 

Related: eSIM Hack Allows for Cloning, Spying

Related: Major Backdoor in Millions of RFID Cards Allows Instant Cloning

https://www.securityweek.com/payment-system-vendor-took-year-to-patch-infinite-card-top-up-hack-security-firm/