CVE-2025-59090
Unknown Unknown - Not Provided
Unauthenticated Access to exos 9300 SOAP API Exposes 2FA PINs

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: SEC Consult Vulnerability Lab

Description
On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59090
EUVD
EUVD-2025-206366
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
dormakaba kaba_exos_9300 to 4.4.1 (exc)
dormakaba kaba_exos_9300 4.4.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability (CVE-2025-59090) affects the dormakaba exos 9300 server, where a SOAP API running on port 8002 does not require any authentication. This allows an attacker with network access to the server to send requests that can create arbitrary access log events, such as fake successful authentications, and to query the two-factor authentication (2FA) PINs associated with enrolled chip cards. Essentially, attackers can forge access events with arbitrary timestamps and enumerate valid card IDs without any authentication. [1]

Impact Analysis

Exploitation of this vulnerability can lead to serious security impacts including unauthorized creation of access log entries, which can be used to cover unauthorized access or create false audit trails. Attackers can also retrieve sensitive 2FA PIN codes associated with chip cards, potentially allowing them to bypass physical access controls. This compromises the integrity of the physical access management system, enabling unauthorized door unlocking, manipulation of access logs, and exposure of sensitive authentication data. [1]

Detection Guidance

This vulnerability can be detected by scanning for the presence of the exos 9300 SOAP API on port 8002, which does not require authentication. Network scanning tools like nmap can be used to check if port 8002 is open on the exos 9300 server. For example, the command `nmap -p 8002 <target-ip>` can identify if the SOAP API is reachable. Additionally, monitoring network traffic for unauthenticated SOAP requests to port 8002 may indicate exploitation attempts. Specific SOAP XML requests can be crafted to test if the API accepts unauthenticated commands to create access log events or query 2FA PINs, as shown in the advisory examples. [1]

Mitigation Strategies

Immediate mitigation steps include installing the vendor patch version 4.4.1 or later, which fixes this and other critical vulnerabilities. Additionally, restrict network access to the exos 9300 server ports (8002, 1004, 1005, 4000) by implementing network segmentation and firewall rules to allow only trusted systems to connect. Replace any hardcoded credentials and enforce strong authentication mechanisms. Review and secure database password derivation and storage methods, and audit encryption methods for sensitive data such as PINs. Refer to the SEC Consult blog and dormakaba security advisories for detailed mitigation guidance. [1]

Compliance Impact

The vulnerability allows unauthorized access to sensitive information such as 2FA PINs associated with chip cards and enables attackers to forge access logs and manipulate physical access controls without authentication. This exposure and manipulation of sensitive authentication data and access records can lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and authentication data, as well as maintaining accurate access logs to ensure security and privacy. Therefore, exploitation of this vulnerability could result in violations of data protection and security requirements mandated by such regulations. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59090. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart