CVE-2025-59093
Exposed Database Password in Exos 9300 Enables Unauthorized Access
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| exos | exos_9300 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-656 | The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the mechanism. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves Exos 9300 instances using a database password that is generated from static random values combined with the hostname and a random string stored in the registry. Since this string can be read by any user, an attacker can derive the database password and gain authenticated access to the central Exos 9300 database as the user Exos9300Common. This user has roles that allow reading most database tables and updating or inserting data into many tables.
How can this vulnerability impact me? :
An attacker who exploits this vulnerability can gain authenticated access to the central Exos 9300 database with significant privileges. They can read most tables and modify data by updating or inserting into many tables, potentially leading to data breaches, data manipulation, or disruption of database integrity.