CVE-2025-41257

Suprema BioStar 2 Insecure Password Change

CVSS 4.8 MEDIUMEPSS 0.2%CWE-20

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 4.8EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

04 Mar 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Suprema’s BioStar 2 in version 2.9.11.6 allows users to set new password without providing the current one. Exploiting this flaw combined with other vulnerabilities can lead to unauthorized account access and potential system compromise.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Affected products

Suprema · BioStar 2

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20251104-02_Suprema_BioStar_2_Insecure_Password_Change https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp