High severityNVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2026-9509

Description

An unhandled exception in Suprema BioStar 2 (Server), versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service (DoS) by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes, leaving the system offline until the services or server are manually restarted. As a result, access control readers cease to function, and potential failures may occur in third-party integrations. Since the exploit requires no privileges or user interaction and is trivial to automate, the impact on availability is high, and the effect extends to interconnected systems.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An unhandled exception in Suprema BioStar 2 Server allows unauthenticated remote attackers to cause a denial of service via HTTP POST to /api/migration.

Vulnerability

An unhandled exception (CWE-248) exists in Suprema BioStar 2 Server versions 2.9.8, 2.9.10, and 2.9.11. The vulnerability is triggered when an unauthenticated attacker sends an HTTP POST request to the /api/migration endpoint. This endpoint does not properly handle exceptions, causing a failure that halts critical processes. No special configuration or user interaction is required for the code path to be reachable [1].

Exploitation

An attacker with network access to the BioStar 2 Server can exploit this vulnerability by sending a crafted HTTP POST request to /api/migration. No authentication or prior knowledge is needed. The request is trivial to automate, and the resulting unhandled exception immediately stops critical services. The system remains offline until an administrator manually restarts the services or the server [1].

Impact

Successful exploitation results in a complete denial of service (DoS). The BioStar 2 Server becomes unresponsive, causing connected access control readers to cease functioning and potentially disrupting third-party integrations. The impact on availability is high, and the scope extends to interconnected systems. The CVSS v4.0 base score is 8.2 (AV:N/AC:L/AT:N/PR:N/UI:N/S:C/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H) [1].

Mitigation

The vendor, Suprema, has released a fix for this vulnerability. Users are advised to update BioStar 2 Server to the latest available version. No workarounds are documented in the available references. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].

References

Multiple vulnerabilities in Suprema's BioStar

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Suprema/BioStar 2llm-fuzzy
Range: 2.9.8, 2.9.10, 2.9.11

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-supremas-biostarnvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000