Denial of Service Vulnerability in Suprema BioStar 2 by Suprema
CVE-2026-9509

8.7HIGH

Key Information:

Vendor: Suprema
Status: BiOStar 2 (server)
Vendor: CVE Published:; 29 May 2026

What is CVE-2026-9509?

An unhandled exception in Suprema BioStar 2, specifically in versions 2.9.8 through 2.9.11, can allow unauthenticated remote attackers to disrupt service. By sending specially crafted HTTP POST requests to the '/api/migration' endpoint, attackers can trigger a failure that brings down essential processes, effectively making the system inoperative until a manual restart is performed. The unavailability of access control readers can lead to significant operational disruptions and may impact third-party system integrations. Given the ease of automation for this exploit and the lack of authentication requirements, the availability of interconnected systems may also be considerably compromised.

Affected Version(s)

BioStar 2 (server) v2.9.11

BioStar 2 (server) v2.9.10

BioStar 2 (server) v2.9.8

References

https://www.incibe.es/en/incibe-cert/notices/aviso/multip...

patch

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 29, 2026
Vulnerability Reserved
May 25, 2026

Credit

Jordi Garcia Ribera

CVE-2026-9509 Data

JSON