CVE-2025-59094
📋 TL;DR
This CVE describes a local privilege escalation vulnerability in the Kaba exos 9300 System management application (d9sysdef.exe). Attackers with local access can schedule arbitrary executables to run with SYSTEM privileges, effectively gaining full system control. This affects organizations using the Kaba exos 9300 access control system management software.
💻 Affected Systems
- Kaba exos 9300 System management application
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attackers gain persistent SYSTEM-level access, install malware, steal credentials, and pivot to other systems in the network.
Likely Case
Local attackers escalate privileges to SYSTEM, install backdoors, disable security controls, and maintain persistent access to the affected system.
If Mitigated
Limited impact if proper access controls, least privilege principles, and network segmentation are implemented to restrict local access.
🎯 Exploit Status
Exploitation requires local access but appears straightforward based on description - attackers can specify arbitrary executables to run with SYSTEM privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in CVE description
Vendor Advisory: https://www.dormakabagroup.com/en/security-advisories
Restart Required: Yes
Instructions:
1. Check vendor advisory for specific patch version. 2. Download patch from official vendor sources. 3. Apply patch following vendor instructions. 4. Restart system as required. 5. Verify patch application.
🔧 Temporary Workarounds
Restrict Local Access
windowsLimit local access to systems running d9sysdef.exe to only authorized administrators
Remove Unnecessary Privileges
windowsRun d9sysdef.exe with least privilege required rather than SYSTEM context if possible
🧯 If You Can't Patch
- Implement strict access controls to prevent unauthorized local access to affected systems
- Monitor for suspicious scheduled tasks or processes running with SYSTEM privileges
🔍 How to Verify
Check if Vulnerable:
Check if d9sysdef.exe is present on the system and review its configuration for ability to schedule arbitrary executables with SYSTEM privilegesCheck Version:
Check application version through vendor documentation or file properties of d9sysdef.exeVerify Fix Applied:
Verify patch version against vendor advisory and test that arbitrary executables can no longer be scheduled with SYSTEM privileges📡 Detection & Monitoring
Log Indicators:
- Unusual scheduled task creation events
- Processes running with SYSTEM privileges from unexpected locations
- Modifications to d9sysdef.exe configuration
Network Indicators:
- Unusual outbound connections from SYSTEM processes
- Lateral movement attempts from affected system
SIEM Query:
EventID=4698 OR EventID=4702 (Scheduled Task Created/Updated) AND (ProcessName contains 'd9sysdef' OR TaskName contains suspicious patterns)