Vulnerability Overview Title: Multiple Critical Vulnerabilities in DORMAKABA exos 9300 Physical Access System CVE IDs: - CVE-2025-59090 - CVE-2025-59091 - CVE-2025-59092 - CVE-2025-59093 - CVE-2025-59094 - CVE-2025-59095 - CVE-2025-59096 Vulnerability Details 1. Authentication Bypass via Unauthenticated SOAP API (CVE-2025-59090) - Authentication bypass via an unauthenticated SOAP API. 2. Hardcoded Credentials Allowing Control Over Exos Devices (CVE-2025-59091) - Hardcoded credentials enabling control over Exos devices. 3. Unauthenticated Access to Exos Management Interfaces (CVE-2025-59092) - Unauthenticated access to Exos management interfaces. 4. Insecure Password Derivation Function for Exos Database (CVE-2025-59093) - Insecure password derivation function for the Exos database. 5. Local Privilege Escalation on Exos Devices (CVE-2025-59094) - Local privilege escalation on Exos devices. 6. Hard-coded Key for Card Data Encryption (CVE-2025-59095) - Hard-coded key used for card data encryption. 7. Weak Default Passwords in Exos Software (CVE-2025-59096) - Weak default passwords in Exos software. Business Recommendations Immediate installation of multiple patches is recommended. For more information, visit https://r.sec-consult.com/dormakaba and https://www.dormakabagroup.com/en/security-advisories. Test Architecture Overview The tested system is DORMAKABA’s 9300 enterprise-level physical access system. Includes multiple components such as access managers, enrollment units, electronic locks, etc. Vulnerability Description Detailed description of each CVE, including specific vulnerabilities and their impacts, such as unauthenticated API access, hardcoded credentials, unauthenticated RPC services, insecure password derivation functions, local privilege escalation, hardcoded encryption keys, and weak default passwords. Proof of Concept Provides PoC code examples for each vulnerability, demonstrating how to exploit them. Vendor Contact Timeline Detailed record of communication with the vendor, including multiple contacts and scheduled meetings. Solutions and Workarounds Recommend checking version numbers, contacting vendor partners, reviewing official hardening guidelines, and replacing outdated hardware. Vendor Security Page Recommended to visit https://www.dormakabagroup.com/en/security-advisories for more detailed information. Authors EOF Clemens Stockenreiter, Werner Schober / @2025 This information provides a comprehensive understanding of the vulnerabilities present in the DORMAKABA exos 9300 system, including vulnerability types, impacts, proof of concept, and mitigation strategies.