CVE-2025-59091 Overview
CVE-2025-59091 is a critical hardcoded credentials vulnerability affecting the Kaba exos 9300 datapoint server. Multiple hardcoded credentials have been identified that allow unauthorized sign-in to the exos 9300 datapoint server running on ports 1004 and 1005. This server is used for relaying status information from and to Access Managers, which includes graphically visualizing open doors and alerts. More critically, controlling the Access Managers via this interface is also possible, enabling attackers to send commands to open arbitrary doors.
The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands that can compromise physical access control systems.
Critical Impact
Attackers with network access can authenticate using hardcoded credentials to gain unauthorized control of physical access management systems, potentially opening arbitrary doors and compromising building security.
Affected Products
- Kaba exos 9300 Datapoint Server
- Dormakaba Access Management Systems
- Systems utilizing exos 9300 on ports 1004 and 1005
Discovery Timeline
- 2026-01-26 - CVE-2025-59091 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-59091
Vulnerability Analysis
This vulnerability represents a severe security flaw classified under CWE-798 (Use of Hard-coded Credentials). The Kaba exos 9300 datapoint server contains embedded credentials for four distinct user accounts within its application code. These credentials cannot be changed by system administrators and provide persistent unauthorized access to the datapoint server infrastructure.
The datapoint server operates as a critical communication relay between access management components, handling status information and control commands. An attacker exploiting these hardcoded credentials gains the same level of access as legitimate system operators, enabling them to monitor door states, receive security alerts, and most critically, issue commands to open doors without proper authorization.
The network-based attack vector requires no user interaction or prior authentication, making this vulnerability particularly dangerous in environments where the datapoint server is accessible from untrusted networks.
Root Cause
The root cause of this vulnerability stems from insecure development practices where authentication credentials were embedded directly within the application source code or configuration. This approach creates a fundamental security weakness because:
- The credentials are identical across all installations of the affected software
- Credentials cannot be changed or rotated by administrators
- Reverse engineering or decompilation can expose the embedded credentials
- The credentials persist even after software updates unless specifically patched
Attack Vector
The attack vector is network-based, targeting TCP ports 1004 and 1005 where the datapoint server listens for connections. An attacker with network access to these ports can:
- Connect to the datapoint server on port 1004 or 1005
- Authenticate using one of the four hardcoded credential sets
- Begin receiving status information about Access Manager states
- Send commands to control Access Managers, including opening doors
The vulnerability requires no special privileges, no user interaction, and can be exploited remotely from any network position with connectivity to the affected ports. Once authenticated, the attacker has full access to the datapoint server's functionality, including the ability to manipulate physical access control systems.
Detection Methods for CVE-2025-59091
Indicators of Compromise
- Unexpected network connections to ports 1004 or 1005 from unauthorized IP addresses
- Authentication events from the four hardcoded user accounts during unusual hours or from unexpected source addresses
- Anomalous door open commands or status queries not correlating with legitimate operator activity
- Multiple simultaneous sessions using the same hardcoded credentials from different network locations
Detection Strategies
- Monitor network traffic to ports 1004 and 1005 for connections originating from outside trusted management networks
- Implement authentication logging on the datapoint server and alert on successful logins from unexpected sources
- Deploy network intrusion detection signatures to identify connection attempts using known hardcoded credential patterns
- Establish baseline patterns for normal Access Manager communication and alert on deviations
Monitoring Recommendations
- Configure SIEM rules to correlate authentication events with network flow data for ports 1004/1005
- Implement real-time alerting for any door open commands that occur outside of scheduled access windows
- Monitor for lateral movement patterns where initial datapoint server access precedes other network reconnaissance
- Review access logs regularly for evidence of automated or scripted interactions with the datapoint server
How to Mitigate CVE-2025-59091
Immediate Actions Required
- Restrict network access to ports 1004 and 1005 using firewall rules, allowing only authorized management stations
- Implement network segmentation to isolate the exos 9300 datapoint server from general network traffic
- Enable comprehensive logging of all authentication attempts and commands sent to the datapoint server
- Contact Dormakaba for updated software that addresses the hardcoded credentials vulnerability
Patch Information
Dormakaba has published security advisories regarding this vulnerability. Organizations should review the Dormakaba Security Advisories page for official patch information and updated software releases. Additional technical details are available through the SEC Consult DKExos Advisory and SEC Consult Dormakaba Advisory.
Workarounds
- Deploy strict network access control lists (ACLs) limiting connectivity to ports 1004 and 1005 to only verified management workstations
- Consider placing the datapoint server behind a VPN or jump host requiring additional authentication before access
- Implement network monitoring to detect and alert on any unauthorized connection attempts to the affected ports
- Evaluate deploying a web application firewall or network proxy capable of inspecting and filtering traffic to the datapoint server
# Network isolation configuration example (iptables)
# Restrict access to datapoint server ports from trusted management network only
iptables -A INPUT -p tcp --dport 1004 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 1005 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 1004 -j DROP
iptables -A INPUT -p tcp --dport 1005 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
