CVE-2025-59090
Unauthenticated Access to exos 9300 SOAP API Exposes 2FA PINs
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dormakaba | kaba_exos_9300 | to 4.4.1 (exc) |
| dormakaba | kaba_exos_9300 | 4.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-1188 | The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability (CVE-2025-59090) affects the dormakaba exos 9300 server, where a SOAP API running on port 8002 does not require any authentication. This allows an attacker with network access to the server to send requests that can create arbitrary access log events, such as fake successful authentications, and to query the two-factor authentication (2FA) PINs associated with enrolled chip cards. Essentially, attackers can forge access events with arbitrary timestamps and enumerate valid card IDs without any authentication. [1]
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to serious security impacts including unauthorized creation of access log entries, which can be used to cover unauthorized access or create false audit trails. Attackers can also retrieve sensitive 2FA PIN codes associated with chip cards, potentially allowing them to bypass physical access controls. This compromises the integrity of the physical access management system, enabling unauthorized door unlocking, manipulation of access logs, and exposure of sensitive authentication data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning for the presence of the exos 9300 SOAP API on port 8002, which does not require authentication. Network scanning tools like nmap can be used to check if port 8002 is open on the exos 9300 server. For example, the command `nmap -p 8002 <target-ip>` can identify if the SOAP API is reachable. Additionally, monitoring network traffic for unauthenticated SOAP requests to port 8002 may indicate exploitation attempts. Specific SOAP XML requests can be crafted to test if the API accepts unauthenticated commands to create access log events or query 2FA PINs, as shown in the advisory examples. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include installing the vendor patch version 4.4.1 or later, which fixes this and other critical vulnerabilities. Additionally, restrict network access to the exos 9300 server ports (8002, 1004, 1005, 4000) by implementing network segmentation and firewall rules to allow only trusted systems to connect. Replace any hardcoded credentials and enforce strong authentication mechanisms. Review and secure database password derivation and storage methods, and audit encryption methods for sensitive data such as PINs. Refer to the SEC Consult blog and dormakaba security advisories for detailed mitigation guidance. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to sensitive information such as 2FA PINs associated with chip cards and enables attackers to forge access logs and manipulate physical access controls without authentication. This exposure and manipulation of sensitive authentication data and access records can lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and authentication data, as well as maintaining accurate access logs to ensure security and privacy. Therefore, exploitation of this vulnerability could result in violations of data protection and security requirements mandated by such regulations. [1, 2]