CVE-2026-9509
Unhandled Exception in Suprema BioStar 2 Server Causes DoS
Publication date: 2026-05-29
Last updated on: 2026-05-29
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| suprema | biostar_2 | 2.9.8 |
| suprema | biostar_2 | 2.9.10 |
| suprema | biostar_2 | 2.9.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-248 | An exception is thrown from a function, but it is not caught. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an unhandled exception in Suprema BioStar 2 (Server) versions 2.9.8, 2.9.10, and 2.9.11. It allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the '/api/migration' endpoint.
The specially crafted request triggers a failure that stops critical processes, causing the system to go offline until the services or server are manually restarted.
As a result, access control readers stop functioning and there may be failures in third-party integrations. The exploit requires no privileges or user interaction and is easy to automate, making the impact on system availability high.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service, making the Suprema BioStar 2 server and its critical processes unavailable until manually restarted.
This downtime means that access control readers connected to the system will stop working, potentially preventing authorized access or causing security lapses.
Additionally, third-party integrations relying on the system may fail, which could disrupt broader security or operational workflows.
Since the attack requires no privileges or user interaction and is trivial to automate, the risk and impact on availability are high.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP POST requests sent to the '/api/migration' endpoint on Suprema BioStar 2 (Server) versions 2.9.8, 2.9.10, and 2.9.11.
Network administrators can use network traffic analysis tools or intrusion detection systems to look for unusual or repeated POST requests targeting this endpoint.
Example commands to detect such activity include:
- Using tcpdump to capture POST requests to '/api/migration': tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep 'POST /api/migration'
- Using curl to test the endpoint manually: curl -X POST http://<target-ip>/api/migration -v
- Using web server logs to search for POST requests to '/api/migration': grep 'POST /api/migration' /var/log/nginx/access.log
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability causes a denial of service (DoS) in Suprema BioStar 2 (Server), leading to system downtime and failure of access control readers and third-party integrations. This high impact on availability could affect compliance with standards and regulations that require continuous availability and protection of access control systems, such as GDPR and HIPAA.
However, the provided information does not explicitly describe direct impacts on data confidentiality, integrity, or privacy controls required by these regulations.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include manually restarting the affected Suprema BioStar 2 services or server if a denial of service occurs to restore functionality.
Additionally, restrict or monitor access to the '/api/migration' endpoint to prevent unauthenticated HTTP POST requests.
Implement network-level protections such as firewall rules or intrusion prevention systems to block or alert on suspicious POST requests targeting this endpoint.
Finally, update Suprema BioStar 2 to a version that addresses this vulnerability once a patch is available.