CVE Alert: CVE-2025-5555 - Nixdorf Wincor - PORT IO Driver

CVE-2025-5555

HIGHNo exploitation known

A vulnerability has been found in Nixdorf Wincor PORT IO Driver up to 1.0.0.1. This affects the function sub_11100 in the library wnport.sys of the component IOCTL Handler. Such manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0.1 is able to mitigate this issue. Upgrading the affected component is recommended. The vendor was contacted beforehand and was able to provide a patch very early.

CVSS v3.1 (7.8)

Vendor

Nixdorf Wincor

Product

PORT IO Driver

Versions

1.0.0.0 | 1.0.0.1 | 3.0.0.1

CWE

CWE-121, Stack-based Buffer Overflow

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Published

2025-10-18T08:02:06.128Z

Updated

2025-10-18T08:02:06.128Z

References

https://vuldb.com/?id.329013

https://vuldb.com/?ctiid.329013

https://vuldb.com/?submit.604823

https://b.iakb.org/2025/06/26/Wincor-Nixdorf-PORT-IO-Driver-Buffer-Overflow/

https://download.dieboldnixdorf.com/

AI Summary Analysis

Risk verdict

High risk due to a publicly disclosed, local, low-privilege exploit; patching should be treated as a top priority.

Why this matters

A stack-based buffer overflow in the IOCTL Handler can lead to kernel-level memory corruption and remote code execution on affected devices. In environments using the PORT IO Driver (e.g., POS/ATM or retail kiosks on Windows), exploitation could disrupt operations, enable data exposure, or permit authorisation bypass, with tangible business impact.

Most likely attack path

Exploitation requires local access and low privileges; an attacker would target the IOCTL interface exposed by wnport.sys sub_11100. Successful overflow could grant code execution with high privilege and potential system compromise. Lateral movement is limited by the local-access requirement, but a single compromised device could serve as a foothold for a larger target.

Who is most exposed

Devices and deployments that rely on the Nixdorf Wincor PORT IO Driver in Windows-based retail, banking, or kiosk environments are most at risk, especially where physical access cannot be tightly controlled.

Detection ideas

Kernel crash dumps or bluescreens referencing wnport.sys or sub_11100.
Unusual IOCTL activity to the PORT IO Driver, especially near localized access events.
Public-exploit indicators in logs or memory dumps showing buffer overflow patterns.
Erratic memory corruption symptoms during driver calls.

Mitigation and prioritisation

Apply patch to 3.0.0.1; verify compatibility and deploy rapidly.
If patching is delayed, restrict local access to affected devices and segment kiosks/POS endpoints.
Enforce strict access controls around devices with the driver; implement least privilege for processes invoking IOCTLs.
Monitor for kernel instability signals and collect targeted memory crash data for rapid triage.
Update change-management tickets with evidence of exploitation likelihood and remediation steps. If KEV or EPSS data later indicate heightened urgency, elevate accordingly.

Support Our Work

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.

AI APIs OSINT driven New features

Buy Me A Coffee Patreon

Tags: CVE, cve-2025-5555, nixdorf-wincor, OSINT, port-io-driver, threatintel