Description
An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems.
Published: 2026-05-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unhandled exception occurs in the Suprema BioStar 2 server when an HTTP POST request is sent to the /api/migration endpoint. The error halts critical processes, causing the system to become unavailable until services or the server are restarted. Because the flaw does not require authentication or user interaction, an attacker can trigger it from any network reachable to the endpoint, resulting in a high‑impact denial of service that also disrupts access control readers and may break third‑party integrations.

Affected Systems

Suprema BioStar 2 (Server) versions 2.9.8, 2.9.10, and 2.9.11 are affected. Clients running these firmware releases are vulnerable to unauthorized remote DoS attacks via the /api/migration endpoint.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. However, the absence of authentication requirements and the trivial automation of the trigger mean the vulnerability is readily exploitable by unauthenticated remote actors. The likelihood of exploitation is high and can propagate to interconnected systems.

Generated by OpenCVE AI on May 29, 2026 at 13:23 UTC.

Remediation

Vendor Solution

The vulnerability has been fixed by the Suprema team. We recommend updating to the latest available version.

OpenCVE Recommended Actions

  • Apply the latest Suprema BioStar 2 update to remove the unhandled exception.
  • After installation, restart the BioStar services to ensure the patch takes effect and the /api/migration endpoint no longer causes crashes.
  • Implement a temporary rate‑limit or firewall rule on /api/migration to block excessive POST requests until the update is deployed.

Generated by OpenCVE AI on May 29, 2026 at 13:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Supremainc
Supremainc biostar 2
Vendors & Products Supremainc
Supremainc biostar 2

Fri, 29 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 12:45:00 +0000

Type Values Removed Values Added
Description An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems.
Title Uncaught exception vulnerability in Suprema's BioStar
Weaknesses CWE-248
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Supremainc Biostar 2
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-05-29T13:33:02.406Z

Reserved: 2026-05-25T13:58:49.181Z

Link: CVE-2026-9509

cve-icon Vulnrichment

Updated: 2026-05-29T13:32:57.843Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T13:16:24.120

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-9509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T15:46:42Z

Weaknesses