CVE-2025-59097

Name of the Vulnerable Software and Affected Versions dormakaba exos 9300 (affected versions not specified)

Description The exos 9300 application, used to configure Access Managers (e.g., 92xx, 9230, and 9290), transmits configuration data via SOAP requests without default authentication or authorization. While authentication via IPsec (for 92xx-K5 devices) and mTLS (for 92xx-K7 devices) is possible, it is not enabled by default and requires additional configuration. This allows an attacker with network access to completely control the environment, including reconfiguring Access Managers, modifying inputs and outputs, opening doors, changing admin passwords, and more. Network access can be gained through insufficient network segmentation or missing LAN firewalls, with some devices identified as directly exposed to the internet.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.