CVE-2025-59091
CRITICALKaba exos 9300 < 4.4.1 - Use of Hard-coded Credentials in Datapoint Server
Title source: llmDescription
Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically visualize open doors and alerts. However, controlling the Access Managers via this interface is also possible. To send and receive status information, authentication is necessary. The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands to open arbitrary doors.
References (3)
Core 3
Core References
Various Sources technical-description
https://r.sec-consult.com/dormakaba
Various Sources third-party-advisory
https://r.sec-consult.com/dkexos
Various Sources vendor-advisory
https://www.dormakabagroup.com/en/security-advisories
Scores
CVSS v4
9.3
EPSS
0.0076
EPSS Percentile
50.2%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-798
Status
published
Products (2)
dormakaba/Kaba exos 9300
<4.4.1 manual mitigation needed
dormakaba/Kaba exos 9300
>=4.4.1 secured by default
Published
Jan 26, 2026
Tracked Since
Feb 18, 2026