CVE-2025-8699 identifies a critical security vulnerability in KioSoft's Stored Value Unattended Payment Solution, which relies on MiFare Classic NFC cards to store monetary balances. These cards are inherently insecure due to weak cryptographic protections and allow both reading and writing of stored data without proper authentication. Attackers can analyze multiple card dumps to identify the specific data fields representing the cash balance and the associated checksum, which is computed by XOR-ing the cash value with an unknown field and a constant. By manipulating these fields and recalculating the checksum accordingly, an attacker can arbitrarily increase the stored balance on the card, effectively generating counterfeit funds up to $65,535. This attack requires no privileges, no user interaction, and can be performed remotely if physical access to the card is obtained. The vulnerability stems from CWE-922, which concerns insecure storage of sensitive information, exposing the system to integrity and confidentiality breaches. Despite the high CVSS score of 9.1 (AV:N/AC:L/PR:N/UI:N), no patches or firmware updates are currently available, and no exploits have been reported in the wild. The solution's reliance on insecure NFC technology without backend verification or cryptographic safeguards makes it susceptible to fraud and financial abuse.

For European organizations deploying KioSoft's Stored Value Unattended Payment Solution, this vulnerability poses a significant risk of financial fraud and revenue loss due to the ability of attackers to inflate card balances arbitrarily. The integrity of payment transactions is compromised, undermining trust in unattended payment systems. Confidentiality of stored payment data is also at risk, potentially exposing sensitive financial information. The availability of the payment system is not directly affected; however, the financial and reputational damage could lead to operational disruptions and increased scrutiny from regulators. Retailers, transit operators, and other service providers using these NFC-based payment solutions may face increased fraud losses and customer dissatisfaction. Additionally, the lack of patches means organizations must rely on compensating controls, increasing operational complexity and costs. Regulatory compliance risks may arise under GDPR and payment security standards if sensitive financial data is inadequately protected.

Immediate mitigation should focus on replacing MiFare Classic NFC cards with secure alternatives that implement strong cryptographic protections, such as MiFare DESFire EV2 or EV3 cards, which support mutual authentication and encrypted data storage. Organizations should implement backend validation of card balances and transaction logs to detect and prevent fraudulent balance manipulations. Deploying tamper-evident hardware and secure key management practices is critical. Where replacement is not immediately feasible, monitoring transaction anomalies and setting transaction limits can reduce fraud impact. Firmware and software updates should be prioritized once available from KioSoft. Additionally, organizations should conduct security audits of unattended payment systems and train staff to recognize and respond to potential fraud attempts. Collaboration with payment security experts and adherence to PCI DSS guidelines for stored value systems will further enhance defenses.