CVE-2025-59090

Unauthenticated SOAP API in dormakaba Kaba exos 9300

CVSS 9.3 CRITICALEPSS 1.0%CWE-1188 CWE-306

In short

The dormakaba Kaba exos 9300 server exposes a SOAP API without requiring a login, allowing anyone with network access to create fake access logs and steal two-factor authentication PINs from chip cards. This completely bypasses security controls meant to protect physical access systems.

Technical detail

An unauthenticated SOAP API is exposed on port 8002 of the exos 9300 server, enabling network-adjacent attackers to perform unauthorized actions including arbitrary access log event creation and retrieval of 2FA PINs associated with enrolled chip cards. Authentication controls are missing (CWE-306), allowing direct manipulation of security-critical functions and compromise of multi-factor authentication mechanisms.

Summary generated and translated by AI from the official description.

On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Affected products

dormakaba · Kaba exos 9300

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://r.sec-consult.com/dkexos https://r.sec-consult.com/dormakaba https://www.dormakabagroup.com/en/security-advisories