CVE-2025-59095
Hard-Coded Secrets in EXOS 9300 DLL Enable Weak PIN Encryption
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | kaba.exos.common | *-* |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves multiple hard-coded secrets in the program libraries (DLL) and binaries used by exos 9300. Specifically, the function "EncryptAndDecrypt" in the Kaba.EXOS.common.dll library uses a simple XOR encryption technique with a static cryptographic key based on the founder's name. This encryption method is weak and not secure for protecting sensitive data, such as user PINs stored in the MSSQL database.
How can this vulnerability impact me? :
The vulnerability can lead to exposure of sensitive information, such as user PINs, because the encryption used is weak and relies on a static key. Attackers with access to the binaries or libraries could potentially decrypt the stored data, leading to unauthorized access or data breaches.