CVE-2025-41257 PUBLISHED

Suprema BioStar 2 Insecure Password Change

Assigner: sba-research
Reserved: 16.04.2025 Published: 04.03.2026 Updated: 04.03.2026

Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other vulnerabilities can lead to unauthorized account access and potential system compromise.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS Score: 4.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Suprema
Product	BioStar 2
Versions	Default: unknown Version 2.9.11.6 is affected

Credits

Jakob Hagl (SBA Research) finder
Marija Radosavljević (SBA Research) finder
Fabian Funder (SBA Research) finder

References

https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251104-02_Suprema_BioStar_2_Insecure_Password_Change
https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp

Problem Types

CWE-20 Improper Input Validation CWE