CVE-2025-59091
📋 TL;DR
The Kaba exos 9300 datapoint server contains hardcoded credentials for four users, allowing unauthorized access to door access control systems. Attackers can authenticate to ports 1004/1005 to view door status/alerts and send commands to open arbitrary doors. Organizations using Kaba exos 9300 Access Manager systems are affected.
💻 Affected Systems
- Kaba exos 9300 datapoint server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of physical access systems, opening all doors, disabling alarms, and potentially allowing unauthorized building entry or theft.
Likely Case
Unauthorized access to door status monitoring and ability to open specific doors, compromising physical security.
If Mitigated
Limited to information disclosure of door status if network segmentation prevents command execution.
🎯 Exploit Status
Exploitation requires network access to ports 1004/1005 and knowledge of hardcoded credentials (which may be publicly available).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown specific version - check vendor advisory
Vendor Advisory: https://www.dormakabagroup.com/en/security-advisories
Restart Required: Yes
Instructions:
1. Check vendor advisory for patched version. 2. Apply vendor-provided firmware update. 3. Restart exos 9300 system. 4. Verify credentials are no longer hardcoded.
🔧 Temporary Workarounds
Network Segmentation
allBlock external access to ports 1004/1005 and restrict internal access to authorized management systems only.
Firewall Rules
allImplement strict firewall rules allowing only necessary communication between Access Managers and datapoint server.
🧯 If You Can't Patch
- Isolate exos 9300 systems on separate VLAN with strict access controls
- Implement network monitoring for unauthorized access attempts on ports 1004/1005
🔍 How to Verify
Check if Vulnerable:
Attempt authentication to port 1004/1005 using known hardcoded credentials (check security advisories for specifics).Check Version:
Check system firmware version via management interface (vendor-specific command).Verify Fix Applied:
After patching, verify authentication attempts with hardcoded credentials fail and only authorized credentials work.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts from unexpected sources
- Successful logins using default/hardcoded usernames
- Door control commands from unauthorized IPs
Network Indicators:
- Traffic to ports 1004/1005 from unauthorized networks
- Authentication attempts using hardcoded credentials
SIEM Query:
source_port:1004 OR source_port:1005 AND (event_type:authentication OR event_type:door_control)