Home

Description

Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically visualize open doors and alerts. However, controlling the Access Managers via this interface is also possible. To send and receive status information, authentication is necessary. The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands to open arbitrary doors.

PUBLISHED Reserved 2025-09-09 | Published 2026-01-26 | Updated 2026-01-26 | Assigner SEC-VLab




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-798: Use of Hard-coded Credentials

Product status

Default status
unknown

<4.4.1 manual mitigation needed
affected

>=4.4.1 secured by default
unaffected

Credits

Clemens Stockenreitner, SEC Consult Vulnerability Lab finder

Werner Schober, SEC Consult Vulnerability Lab finder

References

r.sec-consult.com/dormakaba technical-description

r.sec-consult.com/dkexos third-party-advisory

www.dormakabagroup.com/en/security-advisories vendor-advisory

cve.org (CVE-2025-59091)

nvd.nist.gov (CVE-2025-59091)

Download JSON