KioSoft, a Florida-based company, is a global provider of unattended self-service payment machines for businesses like laundromats, arcades, and vending machines. With offices in seven countries and a claim of deploying over 41,000 kiosks and 1.6 million payment terminals, the company has a significant presence. Despite its wide reach, a serious security flaw was recently exposed by the cybersecurity firm, SEC Consult, which is part of Eviden.
In 2023, SEC Consult researchers discovered that some of KioSoft’s stored-value cards, which customers reload for use at payment terminals, were susceptible to a vulnerability. This flaw, tracked as CVE-2025-8699, allows a hacker to add money to a card for free. The root cause of the vulnerability is that the card’s balance is stored locally on the card itself, not on a secure, centralized server. The affected cards used MiFare Classic NFC technology, which is well-known for its security weaknesses.
Leveraging the known vulnerabilities of MiFare cards and analyzing how data is stored, SEC Consult researchers successfully manipulated the card’s data. They were able to read and write information on the card, effectively “creating money out of thin air.” While a single hack can only increase the balance to about $655, the process can be repeated. To perform this hack, an attacker would need a hardware tool like the Proxmark, which is designed for RFID security analysis, and some knowledge of MiFare card vulnerabilities.
SEC Consult has published an advisory detailing its research and a timeline of its communication with KioSoft. The timeline reveals a significant delay in KioSoft’s response, as it took the company more than a year to address the issue. The security firm first contacted KioSoft in October 2023 but received no response until the CERT Coordination Center at Carnegie Mellon University got involved. Throughout this period, SEC Consult’s requests for updates were often ignored, and KioSoft repeatedly asked for extensions to the disclosure deadline.
KioSoft finally released a firmware patch in the summer of 2025 and indicated that new hardware would be rolled out in the future. However, KioSoft refused to provide specific version numbers of the affected and patched software, stating that it would privately notify affected customers. While the company claims that most of its solutions do not use the vulnerable MiFare technology, SEC Consult could not verify the effectiveness of the patch since it no longer had access to the original terminals used for its research.
Reference:
