CVE-2025-59092
📋 TL;DR
This vulnerability allows unauthenticated attackers to send arbitrary status information to the Kaba exos 9300 access control system via an exposed RPC service. Attackers can manipulate door contact status and other access control data without authentication. Organizations using exos 9300 access control systems are affected.
💻 Affected Systems
- Kaba exos 9300 Access Control System
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate door status information to create false security alerts, override legitimate access control data, or disrupt physical security operations by feeding incorrect status to the access management system.
Likely Case
Attackers send false door contact status information to create confusion, trigger false alarms, or temporarily disrupt access control monitoring capabilities.
If Mitigated
With proper network segmentation and access controls, impact is limited to isolated network segments with minimal operational disruption.
🎯 Exploit Status
Exploitation requires only network access to port 4000 and knowledge of the RPC protocol format. No authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified
Vendor Advisory: https://www.dormakabagroup.com/en/security-advisories
Restart Required: No
Instructions:
1. Check vendor advisory for updates. 2. Apply any available patches from Dormakaba. 3. Verify the RPC service now requires authentication.
🔧 Temporary Workarounds
Network Segmentation
allIsolate exos 9300 systems from untrusted networks using firewalls
# Configure firewall to block port 4000 from untrusted networks
# Example: iptables -A INPUT -p tcp --dport 4000 -j DROP
Service Restriction
windowsConfigure the RPC service to only accept connections from trusted IP addresses
# Windows Firewall: New-NetFirewallRule -DisplayName "Block exos RPC" -Direction Inbound -LocalPort 4000 -Protocol TCP -Action Block
# Allow only specific IPs: New-NetFirewallRule -DisplayName "Allow exos RPC" -Direction Inbound -LocalPort 4000 -Protocol TCP -RemoteAddress 192.168.1.0/24 -Action Allow
🧯 If You Can't Patch
- Implement strict network segmentation to isolate exos 9300 systems from all untrusted networks
- Deploy intrusion detection systems to monitor for unauthorized access attempts on port 4000
🔍 How to Verify
Check if Vulnerable:
Use nmap or telnet to check if port 4000 is open and accessible without authentication: nmap -p 4000 <target_ip>Check Version:
Check system documentation or contact vendor for version informationVerify Fix Applied:
Attempt to connect to port 4000 and verify connection is rejected or requires authentication📡 Detection & Monitoring
Log Indicators:
- Unexpected connections to port 4000
- Multiple failed authentication attempts if authentication is implemented
- Unusual RPC service activity
Network Indicators:
- Traffic to/from port 4000 from unauthorized sources
- Unusual RPC protocol patterns
- High volume of connections to port 4000
SIEM Query:
source_port=4000 OR dest_port=4000 | stats count by src_ip, dest_ip