CVE-2025-59097
published 2026-01-26CVE-2025-59097: The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the…
PriorityP268critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.52%
40.4th percentile
The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps.
This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication:
- Re-configure Access Managers (e.g. remove alarming system requirements)
- Freely re-configure the inputs and outputs
- Open all connected doors permanently
- Open all doors for a defined time interval
- Change the admin password
- and many more
Network level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| dormakaba | access_manager_92xx-k5 | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8fr2-7cfw-phcg: The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device
ghsa_unreviewed·2026-01-26·CVSS 9.3
CVE-2025-59102 [CRITICAL] CWE-312 GHSA-8fr2-7cfw-phcg: The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device
The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs are even stored unencrypted. Combined with the fact that an attacker can easily get access to the backup functionality by abusing the session management issue (CVE-2025-59101), or by exploiting the weak default password (CVE-2025-59108), or by simply setting a new password without prior authentication via the SOAP API (CVE-2025-59097), it is easily possible to access the sensitive data on the device.
GHSA
GHSA-58xh-r44m-24vv: The exos 9300 application can be used to configure Access Managers (e
ghsa_unreviewed·2026-01-26
CVE-2025-59097 [CRITICAL] CWE-306 GHSA-58xh-r44m-24vv: The exos 9300 application can be used to configure Access Managers (e
The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps.
This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authen
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-01-26
Published