CVE-2025-59093
📋 TL;DR
This vulnerability allows attackers to derive the database password for Exos 9300 instances by reading predictable registry values. Attackers can then authenticate to the central MSSQL database with privileges to read, update, and insert data. All Exos 9300 instances using the vulnerable configuration are affected.
💻 Affected Systems
- Dormakaba Exos 9300
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Exos 9300 database allowing data theft, manipulation of access control systems, and potential disruption of physical security operations.
Likely Case
Unauthorized database access leading to sensitive data exposure including user information, access logs, and system configurations.
If Mitigated
Limited impact if database is isolated, access controls are strict, and monitoring detects unusual database activity.
🎯 Exploit Status
Exploitation requires local access or ability to read registry values, but the password derivation process is straightforward once registry values are obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://www.dormakabagroup.com/en/security-advisories
Restart Required: Yes
Instructions:
1. Review vendor security advisory. 2. Apply recommended patches from Dormakaba. 3. Restart affected Exos 9300 services. 4. Change database passwords to strong, unique values.
🔧 Temporary Workarounds
Change Database Password
windowsManually change the Exos9300Common database password to a strong, random value not derived from predictable sources.
USE [master];
ALTER LOGIN [Exos9300Common] WITH PASSWORD = 'NewStrongPassword123!';
Restrict Registry Access
windowsModify registry permissions to prevent non-administrative users from reading the random string value used in password generation.
regedit -> Navigate to vulnerable registry key -> Security -> Edit permissions
🧯 If You Can't Patch
- Isolate the Exos 9300 database server from general network access
- Implement strict network segmentation and firewall rules limiting database connections
🔍 How to Verify
Check if Vulnerable:
Check if registry contains predictable values used in password generation and verify if database password follows the vulnerable pattern.Check Version:
Check Exos 9300 administration interface or contact vendor for version informationVerify Fix Applied:
Verify database password has been changed to a strong, non-predictable value and test that the old password no longer works.📡 Detection & Monitoring
Log Indicators:
- Unusual database login attempts by Exos9300Common user
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unexpected MSSQL database connections from non-standard sources
- Database queries from unauthorized IP addresses
SIEM Query:
source="*mssql*" AND (event_id=18454 OR event_id=18456) AND user="Exos9300Common"