Weak Encryption Flaw in exos 9300 by Dormakaba
CVE-2025-59095

6.8MEDIUM

Key Information:

Vendor

Dormakaba

Status
Kaba Exos 9300
Vendor
CVE Published:
26 January 2026

What is CVE-2025-59095?

The exos 9300 by Dormakaba is susceptible to security vulnerabilities due to the use of hard-coded secrets within its program libraries and binaries. A critical aspect is the 'EncryptAndDecrypt' function found in Kaba.EXOS.common.dll, which employs a simplistic XOR encryption method and a static cryptographic key derived from the founder's name. This approach lacks the robustness needed for securely encrypting sensitive information, such as user PINs, before their storage in an MSSQL database. Consequently, this implementation does not align with industry standards for secure data encryption, raising significant concerns about the safeguarding of confidential user information.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Kaba exos 9300 <4.3.3

References

https://r.sec-consult.com/dormakaba
technical-description
https://r.sec-consult.com/dkexos
third-party-advisory
https://www.dormakabagroup.com/en/security-advisories
vendor-advisory

CVSS V4

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Clemens Stockenreitner, SEC Consult Vulnerability Lab
Werner Schober, SEC Consult Vulnerability Lab
JSON
.