PT-2026-4745 · Exos 9300+2 · Exos 9300+2
Published
2026-01-26
·
Updated
2026-01-26
·
CVE-2025-59095
CVSS v4.0
6.8
Medium
| Vector | AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
exos 9300 (affected versions not specified)
Description
The program libraries and binaries used by exos 9300 contain multiple hard-coded secrets. The
EncryptAndDecrypt function within the Kaba.EXOS.common.dll library employs a simple XOR encryption technique with a static cryptographic key (cryptoKey) derived from the company founder's name. This implementation does not provide strong encryption and is used to encrypt user PINs before storing them in the MSSQL database. The functionality is a custom encryption approach rather than a standard cryptographic algorithm.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Using Hardcoded Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Kaba.Exos.Common.Dll
Mssql
Exos 9300