CVE-2025-11998 is a vulnerability classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) affecting HP Inc. Card Readers B Models X3D03B and Y7C05B, specifically version 1.0. The flaw allows sensitive user identity information from a previous card swipe to be unintentionally inherited and exposed when an NFC-enabled device (e.g., smartphone or smartwatch) is in close proximity during a card swipe event. This occurs due to improper handling of session or identity data within the card reader firmware or software, which fails to clear or isolate prior user information under these conditions. The vulnerability requires physical proximity to the card reader and user interaction (a card swipe) but does not require any authentication or privileges. The CVSS v4.0 score is 6.8 (medium severity), reflecting the vulnerability’s moderate impact on confidentiality and integrity, with high scope since the exposure affects data beyond the immediate user session. No known exploits have been reported in the wild, and no patches have been published yet. The vulnerability is significant in environments where multiple users share card readers and where NFC devices are commonly present, potentially allowing an attacker with an NFC device to glean sensitive identity information from prior users.

For European organizations, this vulnerability poses a risk of sensitive identity information leakage, potentially enabling unauthorized access or impersonation if attackers can capture prior user data. This is particularly concerning in high-security environments such as government agencies, financial institutions, and enterprises relying on HP Card Readers for physical access control or secure authentication. The exposure could undermine user privacy and trust, and facilitate further attacks such as social engineering or credential replay. The requirement for physical proximity and user interaction limits remote exploitation but does not eliminate risk in densely populated or shared workspace environments. The impact on confidentiality is high due to sensitive identity exposure, while integrity is moderately affected. Availability is not impacted. The absence of known exploits reduces immediate risk but does not preclude future exploitation once details become public.

Organizations should immediately assess the deployment of HP Card Readers B Models X3D03B and Y7C05B version 1.0 within their environments. Until patches are available, practical mitigations include: (1) physically isolating card readers from areas where NFC devices are commonly used or carried, such as restricting smartphone use near readers; (2) implementing strict access control policies to limit card reader usage to trusted personnel; (3) monitoring and logging card reader usage to detect anomalous patterns that may indicate exploitation attempts; (4) educating users about the risk of NFC device proximity during card swipes; (5) coordinating with HP for timely updates and applying vendor patches as soon as they are released; (6) considering alternative card reader models or authentication methods that do not exhibit this vulnerability; and (7) conducting regular security audits of physical access control systems to identify and remediate similar risks.