Hardcoded Legacy Accounts Allowing Control Over Access Managers in dormakaba...

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically visualize open doors and alerts. However, controlling the Access Managers via this interface is also possible.

To send and receive status information, authentication is necessary. The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands to open arbitrary doors.

Basic Information

ID CVE-2025-59091

Source SEC-VLab

Published Jan 26, 2026 at 10:03

Affected Product

Vendor dormakaba

Product Kaba exos 9300

Version <4.4.1 manual mitigation needed

Affected Versions dormakaba Kaba exos 9300 <4.4.1 manual mitigation needed

CWE Classification

CWE-798

References

{
    "lastseen": "",
    "description": "Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically visualize open doors and alerts. However, controlling the Access Managers via this interface is also possible.\n\nTo send and receive status information, authentication is necessary. The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands to open arbitrary doors.",
    "published": "2026-01-26T10:03:34.142Z",
    "modified": "2026-01-26T10:03:34.142Z",
    "type": "cve",
    "title": "Hardcoded Legacy Accounts Allowing Control Over Access Managers in dormakaba Kaba exos 9300",
    "source": "SEC-VLab",
    "references": "https://r.sec-consult.com/dormakaba\nhttps://r.sec-consult.com/dkexos\nhttps://www.dormakabagroup.com/en/security-advisories",
    "id": "CVE-2025-59091",
    "bulletinFamily": "",
    "cwe": [
        "CWE-798"
    ],
    "cvelist": null,
    "sourceData": "dormakaba Kaba exos 9300 <4.4.1 manual mitigation needed",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Kaba exos 9300",
    "version": "<4.4.1 manual mitigation needed",
    "vendor": "dormakaba",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Hardcoded Legacy Accounts Allowing Control Over Access Managers in dormakaba Kaba exos 9300_CVE-2025-59091