Security researchers from SEC Consult, part of Eviden, reported that the payments company KioSoft spent more than a year fixing a serious vulnerability affecting some of its NFC cards.
KioSoft manufactures automated self-service payment terminals used in self-service laundromats, arcades, vending machines, and car washes. The company has offices in seven countries, and its official website states that it has deployed more than 41,000 self-service kiosks and 1.6 million payment terminals in 35 countries worldwide.
Back in 2023, SEC Consult specialists discovered that certain KioSoft prepaid cards, which customers can top up for use at specific payment terminals, were affected by the CVE-2025-8699 vulnerability. This issue could be exploited to top up the card balance for free.
The attack relied on the fact that balance information was stored locally on the card rather than in a protected online database. The vulnerable cards used MIFARE Classic NFC technology, which has numerous security issues.
Based on already known MIFARE vulnerabilities and an analysis of how data is stored on KioSoft cards, the researchers found they could read and write data to the cards, which allowed them to literally “create money out of thin air.” Thus, a hacker could increase a card’s balance to a maximum of $655, but the process could be repeated multiple times.
According to experts, to carry out such an attack one could use a tool like Proxmark, which is designed for RFID security analysis, research, and development. The attacker also needed to have at least a general understanding of MIFARE vulnerabilities.
In their report, the researchers said that KioSoft needed more than a year to release a patch. The specialists first contacted KioSoft back in October 2023, but the vendor did not respond until CERT experts got involved.
And even after that, the vendor repeatedly requested extensions to the vulnerability disclosure timeline, and ultimately informed the researchers that the updated firmware was released in the summer of 2025. KioSoft also emphasized that they plan to release new hardware solutions with better protection in the future.
At the same time, KioSoft declined to provide version numbers for the vulnerable and fixed releases, stating that affected customers would be notified privately. Although KioSoft’s products are used very widely, the company claims that most of its solutions do not use the vulnerable MIFARE technology.
SEC Consult specialists report that they no longer have access to the terminals used in the original research, so they were unable to verify the reliability of the finally released patches.