Can you explain this vulnerability to me?

This vulnerability (CVE-2025-59097) affects the dormakaba exos 9300 application used to configure Access Managers via a SOAP interface. By default, the SOAP requests are sent without any authentication or authorization, allowing an attacker with network access to fully control the Access Managers. This includes actions like reconfiguring devices, opening doors permanently or temporarily, changing admin passwords, and disabling security features. Although authentication can be enabled using IPsec or mTLS, it is not enabled by default, making the system insecure if left unconfigured. [1]

Useful 0 Not Useful 0

How can this vulnerability impact me? :

Exploitation of this vulnerability allows an attacker with network access to gain complete control over the physical access control environment. This means attackers can unlock all connected doors permanently or for specific time intervals, change administrative passwords, disable security alarms, and reconfigure inputs and outputs without any prior authentication. This can lead to unauthorized physical access, security breaches, and potential compromise of the entire facility's access control system. [1]

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying Access Manager devices (e.g., 92xx-K5 and 92xx-K7 models) on your network that expose the SOAP interface without authentication or authorization. Network scanning tools can be used to detect devices with open SOAP ports and to analyze SOAP requests sent without authentication. Commands such as 'nmap' can be used to scan for open SOAP service ports on suspected devices. Additionally, monitoring network traffic for unauthenticated SOAP requests to Access Managers can help detect exploitation attempts. Specific commands might include: 1) nmap -p <SOAP port> --script=http-soap-enum <target IP range> 2) tcpdump or Wireshark filters to capture and analyze SOAP traffic to/from Access Managers. However, exact commands are not detailed in the provided resources. [1]

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying vendor patches as soon as they are available, enabling authentication and authorization mechanisms such as IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, which are not enabled by default. Additionally, enforce strong passwords, enable encryption for communication channels, and improve network segmentation to restrict network level access to Access Managers. It is also recommended to deploy LAN firewalls to prevent direct exposure of devices to the internet. [1]

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This vulnerability allows attackers to gain unauthorized control over physical access infrastructure, including unlocking doors, changing admin passwords, and extracting sensitive data such as card IDs and PIN entries. Such unauthorized access and potential data exposure can lead to violations of compliance requirements under standards like GDPR and HIPAA, which mandate protection of personal and sensitive data as well as secure access controls. The insecure default configuration and exposure to network attacks increase the risk of data breaches and unauthorized physical access, thereby negatively impacting compliance with these regulations. [1]

Useful 0 Not Useful 0