CVE-2025-59097
📋 TL;DR
CVE-2025-59097 is an authentication bypass vulnerability in dormakaba exos 9300 Access Manager configuration software. It allows unauthenticated attackers with network access to completely control connected physical access systems (door controllers, alarms, etc.). Organizations using exos 9300 with default configurations are affected.
💻 Affected Systems
- dormakaba exos 9300
- Access Managers 92xx series
- Access Managers 9230
- Access Managers 9290
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete physical security compromise: all doors opened permanently, alarm systems disabled, admin passwords changed, allowing unrestricted physical access to facilities.
Likely Case
Unauthorized door access, alarm system tampering, and configuration changes leading to physical security breaches.
If Mitigated
Limited to authenticated administrative actions only, maintaining proper access control and audit trails.
🎯 Exploit Status
Exploitation requires network access to exos server or Access Managers. No authentication needed by default.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.dormakabagroup.com/en/security-advisories
Restart Required: No
Instructions:
Enable authentication: 1. For 92xx-K5 devices: Configure IPsec. 2. For 92xx-K7 devices: Configure mTLS. 3. Implement network segmentation and firewalls.
🔧 Temporary Workarounds
Network Segmentation
allIsolate exos 9300 servers and Access Managers from untrusted networks
Firewall Rules
allRestrict SOAP traffic to authorized administrative IPs only
🧯 If You Can't Patch
- Immediately remove internet exposure - ensure no direct internet access to exos systems
- Implement strict network segmentation with firewall rules limiting access to administrative networks only
🔍 How to Verify
Check if Vulnerable:
Check if exos 9300 SOAP communication lacks IPsec (K5) or mTLS (K7) authentication. Test network access to exos server from unauthorized segments.Check Version:
Check exos 9300 application version in GUI or configuration files.Verify Fix Applied:
Verify IPsec/mTLS is properly configured and test that unauthenticated SOAP requests are rejected.📡 Detection & Monitoring
Log Indicators:
- Unauthorized SOAP requests to exos server
- Configuration changes from unexpected IP addresses
- Authentication failure logs if auth is enabled
Network Indicators:
- SOAP traffic to exos server from unauthorized IPs
- Unencrypted SOAP communication to Access Managers
SIEM Query:
source_ip NOT IN (admin_ips) AND dest_port=SOAP_port AND protocol=SOAP