CVE ID | CVE-2025-4053 |
Publication date | 26 May 2025 |
Vendor | Be-Tech |
Product | Mifare Classic cards |
Vulnerable versions | All |
Vulnerability type (CWE) | Cleartext Storage of Sensitive Information (CWE-312) |
Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerability in Be-Tech Mifare Classic cards software and participated in coordination of its disclosure.
The vulnerability CVE-2025-4053: The data stored in Be-Tech Mifare Classic card is stored in cleartext. An attacker having access to a Be-Tech Mifare Classic hotel guest card can create a master key card that unlocks all the locks in the building.
This issue affects all Be-Tech Mifare Classic card systems. To fix the vulnerability, it is necessary to replace the software, encoder, cards, and PCBs in the locks.
Credits
We thank Sławomir Jasek (smartlockpicking.com) for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.