Sign in Subscribe

The Manufacturer Took Over a Year to Fix a Vulnerability That Allowed Unlimited NFC Card Top-Ups

The Manufacturer Took Over a Year to Fix a Vulnerability That Allowed Unlimited NFC Card Top-Ups

Security researchers from SEC Consult, part of Eviden, revealed that payment solutions company KioSoft spent more than a year addressing a serious vulnerability in some of its NFC cards.

KioSoft produces automated self-service payment terminals for laundromats, gaming arcades, vending machines, and car washes. With offices in seven countries, the company reports more than 41,000 kiosks and 1.6 million payment terminals deployed across 35 nations.

Discovery of the Flaw

In 2023, SEC Consult researchers identified a critical issue affecting KioSoft’s prepaid cards—designated CVE-2025-8699—that allowed attackers to add unlimited credit. Customers typically use these cards by topping them up for transactions at KioSoft payment terminals.

The vulnerability stemmed from how the system stored balance information. Instead of being recorded in a secure backend database, the balance was kept locally on the card. The affected cards used MIFARE Classic NFC technology, already known in the security community for its weaknesses.

By exploiting these weaknesses, researchers could read and rewrite card data, effectively “creating money out of thin air.” For example, an attacker could raise a card’s balance to the maximum of $655—and repeat the process indefinitely.

Tools and Skills Required

According to SEC Consult, carrying out the attack required a Proxmark device, widely used for RFID analysis and penetration testing, as well as a working knowledge of MIFARE vulnerabilities. While the attack was not trivial, it was well within reach of a motivated adversary.

A Delayed Fix

Researchers first alerted KioSoft in October 2023. The company did not respond until national CERT experts became involved. Even then, KioSoft repeatedly requested extensions to the disclosure timeline, delaying a resolution.

Ultimately, the company stated that updated firmware became available in the summer of 2025—over a year after initial disclosure. KioSoft added that future hardware products will incorporate stronger security mechanisms.

However, the manufacturer declined to share version numbers for the vulnerable and patched releases, insisting that affected customers would be informed privately. KioSoft also maintained that most of its deployed systems do not rely on MIFARE Classic technology.

Questions Remain

SEC Consult researchers note they no longer have access to the original terminals, meaning they cannot independently confirm the effectiveness of KioSoft’s patch. This leaves some uncertainty over how well the fix protects against exploitation.

Read next