CVE-2025-59095
Unknown Unknown - Not Provided
Hard-Coded Secrets in EXOS 9300 DLL Enable Weak PIN Encryption

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: SEC Consult Vulnerability Lab

Description
The program libraries (DLL) and binaries used by exos 9300 contain multiple hard-coded secrets. One notable example is the function "EncryptAndDecrypt" in the library Kaba.EXOS.common.dll. This algorithm uses a simple XOR encryption technique combined with a cryptographic key (cryptoKey) to transform each character of the input string. However, it's important to note that this implementation does not provide strong encryption and should not be considered secure for sensitive data. It's more of a custom encryption approach rather than a common algorithm used in cryptographic applications. The key itself is static and based on the founder's name of the company. The functionality is for example used to encrypt the user PINs before storing them in the MSSQL database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-14
NVD
CVE-2025-59095
EUVD
EUVD-2025-206357
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor kaba.exos.common *-*
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves multiple hard-coded secrets in the program libraries (DLL) and binaries used by exos 9300. Specifically, the function "EncryptAndDecrypt" in the Kaba.EXOS.common.dll library uses a simple XOR encryption technique with a static cryptographic key based on the founder's name. This encryption method is weak and not secure for protecting sensitive data, such as user PINs stored in the MSSQL database.

Impact Analysis

The vulnerability can lead to exposure of sensitive information, such as user PINs, because the encryption used is weak and relies on a static key. Attackers with access to the binaries or libraries could potentially decrypt the stored data, leading to unauthorized access or data breaches.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart