CVE-2025-59090
📋 TL;DR
This vulnerability allows unauthenticated attackers to access the SOAP API on exos 9300 servers, enabling them to create arbitrary access log events and query 2FA PINs for enrolled chip cards. It affects organizations using exos 9300 servers with the vulnerable API exposed. The issue stems from missing authentication on the API, making it accessible to anyone with network reachability.
💻 Affected Systems
- exos 9300 server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could retrieve sensitive 2FA PINs, potentially compromising physical security systems, and manipulate access logs to hide unauthorized activities or create false events.
Likely Case
Unauthorized users query 2FA PINs or inject fake access events, leading to data exposure and audit trail manipulation without full system compromise.
If Mitigated
With proper network segmentation and authentication, impact is minimal, limited to isolated incidents if other controls fail.
🎯 Exploit Status
Exploitation is straightforward due to lack of authentication; attackers can send SOAP requests directly without credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://www.dormakabagroup.com/en/security-advisories
Restart Required: No
Instructions:
Check vendor advisory for updates; if a patch is released, apply it according to vendor instructions, which may involve firmware updates or configuration changes.
🔧 Temporary Workarounds
Block Port 8002
allRestrict network access to port 8002 using firewalls to prevent unauthorized API requests.
iptables -A INPUT -p tcp --dport 8002 -j DROP
netsh advfirewall firewall add rule name="Block exos API" dir=in action=block protocol=TCP localport=8002
Disable SOAP API
allIf possible, disable the vulnerable SOAP API in the exos server configuration to eliminate the attack surface.
Consult exos server documentation or vendor for specific disable commands; may involve configuration files or admin interfaces.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate exos servers from untrusted networks, limiting access to authorized IPs only.
- Monitor and log all traffic on port 8002 for suspicious activity, and review access logs regularly for anomalies.
🔍 How to Verify
Check if Vulnerable:
Use a tool like curl or nmap to test if port 8002 is open and responds to SOAP requests without authentication; e.g., 'nmap -p 8002 <server_ip>' or send a SOAP request to check for unauthenticated access.Check Version:
Check exos server firmware version via admin interface or vendor-specific commands; refer to vendor documentation for exact steps.Verify Fix Applied:
After applying workarounds, retest port 8002 accessibility; if blocked or API disabled, attempts should fail or be denied.📡 Detection & Monitoring
Log Indicators:
- Unusual SOAP API requests on port 8002, especially from unauthorized IPs, or unexpected access log entries being created.
Network Indicators:
- Traffic to port 8002 from external or suspicious sources, or SOAP requests without prior authentication.
SIEM Query:
Example: 'source_port:8002 AND (event_type:"SOAP" OR protocol:"HTTP") AND NOT src_ip IN [authorized_ips]'