CVE-2025-59096
Hard-Coded Password in U9ExosAdmin.exe Enables Unauthorized Access
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| kaba | 9300_administration | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the application U9ExosAdmin.exe ("Kaba 9300 Administration") having a hard-coded default password for the extended admin user mode. This password is embedded in multiple locations within the application and is also documented in the locally stored user documentation, making it potentially accessible to unauthorized users.
How can this vulnerability impact me? :
The presence of a hard-coded default password can allow unauthorized users with local access to gain extended administrative privileges, potentially leading to unauthorized configuration changes, data exposure, or system compromise.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately change the default hard-coded password for the extended admin user mode in the U9ExosAdmin.exe application. Avoid using documented default passwords and ensure that all admin credentials are unique and securely stored. Additionally, review and restrict access to the locally stored user documentation that contains the default password.