CVE-2025-8699 is a critical vulnerability affecting KioSoft's Stored Value Unattended Payment Solution, which relies on MiFare Classic NFC cards to store account balances. The vulnerability arises from insecure storage of sensitive information (CWE-922) on these NFC cards. Specifically, the balance data is stored directly on the card without adequate cryptographic protection, allowing attackers to read and write the stored value. By analyzing multiple card dumps, attackers can identify the exact fields representing the cash balance and the checksum mechanism, which is computed by XOR-ing the cash value with an unknown field and a constant. This knowledge enables attackers to manipulate the card data and update the balance arbitrarily, potentially loading up to $65,535 onto the card. The vulnerability requires no authentication or user interaction and can be exploited remotely via NFC communication. The CVSS 3.1 score of 9.1 reflects the high impact on confidentiality and integrity, with network attack vector, low attack complexity, and no privileges or user interaction required. Although no known exploits are currently reported in the wild, the simplicity of the attack and the widespread use of MiFare Classic cards in unattended payment systems make this a significant threat. The lack of available patches as of the publication date further exacerbates the risk.

For European organizations deploying KioSoft's Stored Value Unattended Payment Solutions, this vulnerability poses a severe financial risk. Attackers can fraudulently increase card balances, leading to direct monetary losses for merchants and service providers. The integrity of payment transactions is compromised, undermining trust in unattended payment infrastructure. Additionally, widespread exploitation could disrupt operations in sectors relying on these payment solutions, such as public transportation, vending machines, parking services, and event ticketing. The confidentiality breach, while less critical than integrity loss, could expose transaction patterns or user data stored on the cards. The vulnerability's ease of exploitation and lack of authentication requirements mean that attackers can operate anonymously and at scale, potentially causing significant economic damage and reputational harm to affected organizations across Europe.

Immediate mitigation should focus on replacing or upgrading the insecure MiFare Classic NFC cards with more secure alternatives that implement strong cryptographic protections, such as MiFare DESFire EV2 or EV3 cards. Organizations should work closely with KioSoft to obtain firmware or hardware updates that address the insecure storage issue. Until patches or replacements are available, deploying additional security controls is advisable, such as limiting the acceptance of stored value cards to those verified through backend validation mechanisms rather than relying solely on card-stored balances. Implementing transaction monitoring to detect anomalous spending patterns can help identify fraudulent activity early. Physical security measures to restrict unauthorized NFC access to unattended payment terminals should be enhanced. Finally, educating staff and users about the risks and encouraging prompt reporting of suspicious card behavior will aid in early detection and response.