CVE-2025-61234 is a vulnerability in the Dataphone A920 payment terminal, specifically version 2025.07.161103, caused by incorrect access control on a service listening on TCP port 8888. This service is exposed by default on the local network and does not require any authentication, allowing an attacker with network access to connect to the device via a raw TCP socket. This lack of authentication constitutes a CWE-284 (Improper Access Control) weakness. When an HTTP request is sent to port 8888, the device responds with an error message that inadvertently discloses internal details such as the device's build version and packet headers identifying Paytef dataphone packets. The vulnerability allows an attacker to gather sensitive information about the device and potentially interact with it in unauthorized ways, which could lead to further exploitation or data leakage. The CVSS v3.1 score of 7.5 reflects a high severity due to the network attack vector (AV:N), no required privileges (PR:N), no user interaction (UI:N), and a significant confidentiality impact (C:H) without affecting integrity or availability. Although no public exploits are currently known, the exposure of an unauthenticated service on a payment device is a critical risk, especially in environments handling sensitive financial transactions. The vulnerability was published on October 29, 2025, with the CVE reserved about a month earlier. No patches or mitigations have been officially released yet, increasing the urgency for organizations to implement compensating controls.

For European organizations, especially those in retail, hospitality, or financial sectors using Dataphone A920 devices, this vulnerability poses a significant risk of unauthorized access to payment terminals. Attackers on the local network could extract sensitive device information, potentially facilitating further attacks such as device manipulation, interception of payment data, or disruption of transaction processing. The confidentiality of payment data and device integrity could be compromised, undermining customer trust and regulatory compliance (e.g., GDPR, PCI DSS). The exposure of device build versions and internal packet headers aids attackers in crafting targeted exploits. Since the vulnerability requires network access but no authentication or user interaction, any compromise of local network security could lead to exploitation. This risk is heightened in environments with insufficient network segmentation or where devices are accessible to untrusted users or devices. The lack of a patch means organizations must rely on network-level mitigations to protect their infrastructure until a vendor fix is available.

1. Immediately isolate Dataphone A920 devices from untrusted or public networks by implementing strict network segmentation and access control lists (ACLs) to restrict access to port 8888 only to authorized management systems. 2. Disable or block the service on port 8888 if possible, or restrict it to trusted IP addresses within the internal network. 3. Monitor network traffic for unusual connections or attempts to access port 8888 on these devices. 4. Implement strong physical security controls to prevent unauthorized local network access near the devices. 5. Engage with the device vendor or supplier to obtain patches or firmware updates addressing this vulnerability as soon as they become available. 6. Review and enhance overall network security posture, including the use of intrusion detection/prevention systems (IDS/IPS) to detect anomalous activity targeting payment terminals. 7. Conduct regular security audits and vulnerability assessments on payment infrastructure to identify and remediate similar weaknesses proactively.