SOAP API Vulnerability in exos 9300 Server by dormakaba
CVE-2025-59090

9.3CRITICAL

Key Information:

Vendor

Dormakaba

Status
Kaba Exos 9300
Vendor
CVE Published:
26 January 2026

What is CVE-2025-59090?

The exos 9300 server hosts a SOAP API on port 8002 that is accessible without authentication. This vulnerability allows unauthorized users to interact with the server, enabling actions such as the creation of arbitrary access log events and querying sensitive two-factor authentication PINs linked to enrolled chip cards. The lack of authentication presents significant security risks for organizations utilizing this server.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Kaba exos 9300 <4.4.0 manual mitigation needed < 4.4.0 manual mitigation needed

Kaba exos 9300 >=4.4.0 with 92xx-K7 secured by default >= 4.4.0 with 92xx-K7 secured by default

References

https://r.sec-consult.com/dormakaba
technical-description
https://r.sec-consult.com/dkexos
third-party-advisory
https://www.dormakabagroup.com/en/security-advisories
vendor-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Clemens Stockenreitner, SEC Consult Vulnerability Lab
Werner Schober, SEC Consult Vulnerability Lab
JSON
.