How is CVE-2026-9509 exploited?

Network reachability (required): The attacker must reach the BioStar 2 server's HTTP API over the network to hit the /api/migration endpoint. Authentication (not-required): No credentials are needed; the endpoint accepts the triggering POST request unauthenticated. Victim interaction (not-required): No user action is involved; the attacker sends the request directly to the server. Attack complexity (info): Attack complexity is low: a single crafted POST reliably triggers the unhandled exception and is trivial to automate.

What is the impact of CVE-2026-9509?

Crashes the BioStar 2 server processes, taking the access-control management service offline until an operator manually restarts services or the host. Access control readers stop functioning while the server is down, which can lock out or fail-open physical entry points depending on reader configuration. Cascading failures in third-party systems integrated with BioStar 2 (visitor management, HR sync, video platforms) during the outage window. No impact to confidentiality or integrity of stored data; the damage is purely availability.

Back to search

HIGHCVE-2026-9509Published 2026-05-29Modified 2026-05-29CNA INCIBE

CVE-2026-9509: Uncaught exception vulnerability in Suprema's BioStar

An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An unhandled exception in Suprema BioStar 2 server (versions 2.9.8, 2.9.10, and 2.9.11) lets an unauthenticated attacker crash critical services by sending HTTP POST requests to the /api/migration endpoint. The bug is reachable over the network with no credentials and no user interaction, and successful exploitation takes the access-control system offline until services or the server are manually restarted, also disrupting connected third-party integrations. No fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against BioStar 2 server images in customer registries and CI pipelines, including custom-built images that repackage the affected versions.

Available

Triage

Triage is available with the CVSS v4.0 score of 8.7 (High) weighted against each customer's compliance policy, so availability-sensitive environments can escalate this DoS more aggressively than others. Findings are routed to the security inbox configured for the owning team inside each customer org.

Available

Patch

No upstream fix has been published yet. HarborGuard re-checks the Suprema advisory each ingest cycle and will make a patched-image rebuild available the moment a fixed version ships; auto-remediation customers will then automatically receive a rebuild, regression run, and PR against affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the BioStar 2 server's HTTP API over the network to hit the /api/migration endpoint.
AuthenticationNot required
No credentials are needed; the endpoint accepts the triggering POST request unauthenticated.
Victim interactionNot required
No user action is involved; the attacker sends the request directly to the server.
Attack complexityDetail
Attack complexity is low: a single crafted POST reliably triggers the unhandled exception and is trivial to automate.

Blast Radius

Crashes the BioStar 2 server processes, taking the access-control management service offline until an operator manually restarts services or the host.
Access control readers stop functioning while the server is down, which can lock out or fail-open physical entry points depending on reader configuration.
Cascading failures in third-party systems integrated with BioStar 2 (visitor management, HR sync, video platforms) during the outage window.
No impact to confidentiality or integrity of stored data; the damage is purely availability.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the Suprema advisory for a fixed BioStar 2 release, with the patched-image rebuild becoming available automatically once upstream ships. In the meantime, compensating-control guidance is surfaced alongside the finding: restrict network reachability to the BioStar 2 API to trusted management subnets via network policy or firewall, block external access to /api/migration at a reverse proxy or WAF, and add health-check alerting so an exploited crash is detected and the service restarted quickly. For environments with auto-remediation enabled, the rebuild-and-PR flow will fire as soon as the upstream fix is published, with no manual tracking required.

See how HarborGuard automates this

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

Suprema / BioStar 2 (server)
v2.9.11 · v2.9.10 · v2.9.8

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

incibe.es