Listen to this Post
Introduction
In today’s fast-paced digital payment world, security is more critical than ever. However, a recent discovery by cybersecurity experts has unveiled a glaring vulnerability in KioSoft’s NFC-based payment cards, putting millions of transactions at risk. This flaw highlights how even widely deployed payment systems can be compromised if proper security measures are delayed.
KioSoft’s Payment System Under Fire
KioSoft, a Florida-based company with offices in seven countries, manufactures self-service payment kiosks used in laundromats, vending machines, arcades, and car washes. Its network reportedly includes over 41,000 kiosks and 1.6 million payment terminals in 35 countries. Despite its extensive reach, a serious vulnerability was found in some of its stored-value NFC cards.
The Vulnerability Explained
SEC Consult, a cybersecurity consulting firm under Eviden, discovered in 2023 that certain KioSoft cards were susceptible to CVE-2025-8699. These stored-value cards function as digital wallets that customers reload for transactions. The issue arises because the balance is stored locally on the card rather than on a secure server, allowing hackers to manipulate the card’s balance.
How the Hack Works
The affected cards use MiFare Classic NFC technology, which has long been known for security flaws. Researchers found that by exploiting these vulnerabilities, they could read and write data on the cards, essentially creating unlimited funds. Using a hardware tool like Proxmark, a hacker can increase the balance up to \$655 repeatedly. However, some technical knowledge of MiFare cards is required.
Slow Response Raises Concerns
Despite the severity, KioSoft was slow to act. SEC Consult first reported the vulnerability in October 2023, but the company remained unresponsive until Carnegie Mellon University’s CERT Coordination Center intervened. It took over a year before a firmware patch was released in summer 2025, and even now, KioSoft has not disclosed exact version numbers of affected and patched releases.
Potential Risk Scope
While KioSoft claims that most of its products do not use the vulnerable MiFare cards, the lack of transparency and delayed response raises significant concerns. Millions of terminals and stored-value cards remain potentially exposed until verified patches are fully deployed.
What Undercode Say: 🕵️♂️
The KioSoft case exposes critical lessons for payment security. First, local storage of balances on NFC cards is inherently risky. Digital wallets should prioritize server-side balance management to prevent unauthorized manipulations. Second, reliance on outdated technologies such as MiFare Classic cards in high-transaction environments is unacceptable. Companies must phase out legacy systems proactively rather than reactively.
The year-long delay in patching also emphasizes the importance of vendor responsiveness in cybersecurity. A proactive approach, including transparent communication and rapid deployment of fixes, could have prevented potential exploitation. Moreover, auditing processes for firmware and hardware updates need stricter enforcement.
Hackers do not need advanced skills; with publicly known tools and documentation, they could exploit such vulnerabilities at scale. The KioSoft scenario is a warning for other payment solution providers globally to review their NFC and digital wallet security protocols.
The financial and reputational impact on KioSoft could be severe if exploitations were discovered before patching. Regulatory authorities may also step in, as slow response violates best practices for consumer data and financial protection.
Fact Checker Results ✅❌
✅ Vulnerability CVE-2025-8699 confirmed by SEC Consult.
❌ KioSoft has not disclosed detailed impacted versions.
✅ Over 1.6 million payment terminals globally could have been affected.
Prediction 🔮
If KioSoft and other payment solution providers fail to adopt proactive security measures, similar exploits could increase, targeting unattended kiosks and digital wallets worldwide. In the next 12–18 months, we might see stricter regulations around NFC card security and potentially a global push to retire legacy MiFare Classic technology. Companies that act swiftly on security updates will not only protect users but also strengthen their brand reputation.
This incident underscores a critical truth: in the world of digital payments, speed and transparency in addressing vulnerabilities can be just as important as the technology itself.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.securityweek.com
Extra Source Hub:
https://www.facebook.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
