CVE-2025-5555
📋 TL;DR
A stack-based buffer overflow vulnerability exists in the Nixdorf Wincor PORT IO Driver's IOCTL handler (wnport.sys). This allows local attackers to execute arbitrary code with kernel privileges, potentially leading to full system compromise. Only systems running the vulnerable driver versions are affected.
💻 Affected Systems
- Nixdorf Wincor PORT IO Driver
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with kernel-level privileges, enabling installation of persistent malware, data theft, or system destruction.
Likely Case
Local privilege escalation allowing attackers to gain SYSTEM/root privileges on the affected machine.
If Mitigated
Limited impact if proper access controls prevent local execution by unauthorized users.
🎯 Exploit Status
Exploit has been publicly disclosed and requires local access. The vulnerability is in a kernel driver, making exploitation straightforward for attackers with user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.0.1
Vendor Advisory: https://download.dieboldnixdorf.com/
Restart Required: Yes
Instructions:
1. Download version 3.0.0.1 from the vendor website. 2. Uninstall the current driver. 3. Install the updated driver. 4. Reboot the system.
🔧 Temporary Workarounds
Restrict driver loading
windowsPrevent loading of the vulnerable driver using Windows driver policies
sc config wnport start= disabled
reg add "HKLM\SYSTEM\CurrentControlSet\Services\wnport" /v Start /t REG_DWORD /d 4 /f
Remove vulnerable driver
windowsUninstall the driver completely if not required
pnputil /delete-driver oem#.inf /uninstall
sc delete wnport
🧯 If You Can't Patch
- Implement strict local access controls and limit user privileges
- Monitor for suspicious driver loading or IOCTL calls to wnport.sys
🔍 How to Verify
Check if Vulnerable:
Check driver version in Device Manager or using: driverquery /v | findstr wnportCheck Version:
driverquery /v | findstr wnportVerify Fix Applied:
Verify driver version shows 3.0.0.1 or higher using: driverquery /v | findstr wnport📡 Detection & Monitoring
Log Indicators:
- Driver loading events for wnport.sys
- Process creation with elevated privileges following driver access
Network Indicators:
- Not applicable - local exploit only
SIEM Query:
EventID=6 OR EventID=7 OR (EventID=4688 AND NewProcessName LIKE '%wnport%')