Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-59092

CVE-2025-59092: Kaba exos 9300 Auth Bypass Vulnerability

CVE-2025-59092 is an authentication bypass flaw in Kaba exos 9300's RPC service on port 4000, allowing unauthenticated access to door control systems. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-59092 Overview

CVE-2025-59092 affects the Kaba exos 9300 access control system from dormakaba. An RPC (Remote Procedure Call) service runs on TCP port 4000 via the FSMobilePhoneInterface.exe process. The service handles interprocess communication between backend services and the Kaba exos 9300 GUI, including status information about Access Managers and door contacts.

The service requires no authentication for inbound connections. An unauthenticated network attacker can send arbitrary status information about door contacts and related access control components. The weakness is classified under [CWE-798: Use of Hard-coded Credentials].

Critical Impact

Unauthenticated attackers with network access to TCP port 4000 can inject falsified door contact and Access Manager status data, compromising the integrity of physical access control monitoring.

Affected Products

  • dormakaba Kaba exos 9300 access control system
  • FSMobilePhoneInterface.exe RPC service component
  • Kaba exos 9300 GUI clients consuming RPC status data

Discovery Timeline

  • 2026-01-26 - CVE-2025-59092 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-59092

Vulnerability Analysis

The Kaba exos 9300 platform manages physical access infrastructure including doors, readers, and Access Managers. The FSMobilePhoneInterface.exe process exposes an RPC endpoint on TCP port 4000 used for interprocess communication between server-side services and the operator GUI.

The service transmits status information such as door contact states and Access Manager health. A remote attacker reaching port 4000 can interact with the RPC interface without supplying credentials. The attacker can submit arbitrary status messages that the consuming GUI and dependent services will process as authentic telemetry.

The consequence is integrity loss in the access control monitoring chain. Falsified status messages can mask real-world events, simulate non-existent door states, or mislead operators monitoring the GUI. The CVSS vector indicates a network attack path with no privileges or user interaction required and a high impact to integrity.

Root Cause

The RPC service performs no authentication or authorization checks on incoming requests. The protocol design assumes that the endpoint is consumed only by trusted local components. Exposing port 4000 on a reachable network interface removes the only implicit trust boundary.

Attack Vector

An attacker establishes a TCP connection to port 4000 on a host running FSMobilePhoneInterface.exe. The attacker crafts RPC messages matching the service's expected status payload format. The service accepts and propagates the data to GUI consumers without validating the sender's identity or session state. No prior credential theft, social engineering, or user interaction is required.

The vulnerability mechanism is described in the SEC Consult Advisory for dkexos and the Dormakaba Security Advisory.

Detection Methods for CVE-2025-59092

Indicators of Compromise

  • Unexpected inbound TCP connections to port 4000 on hosts running FSMobilePhoneInterface.exe from sources outside the trusted management subnet
  • GUI displays of door contact or Access Manager status that contradict physical state or controller logs
  • RPC traffic patterns to port 4000 originating from non-GUI client hosts

Detection Strategies

  • Inventory all systems running the Kaba exos 9300 stack and enumerate processes listening on TCP port 4000
  • Capture and baseline normal RPC traffic between FSMobilePhoneInterface.exe and authorized GUI workstations
  • Correlate GUI-reported status events with controller-side audit logs to surface integrity mismatches

Monitoring Recommendations

  • Alert on any TCP/4000 connection originating outside the documented management VLAN
  • Forward Windows process and network telemetry from exos 9300 servers to a centralized log platform for retention and analysis
  • Monitor for repeated short-lived connections to port 4000, which may indicate enumeration or status injection attempts

How to Mitigate CVE-2025-59092

Immediate Actions Required

  • Restrict TCP/4000 reachability to authorized GUI workstation IP addresses using host firewall rules or network ACLs
  • Place exos 9300 servers on a dedicated, segmented management network isolated from general user and operational technology traffic
  • Review the dormakaba security advisories page for vendor-supplied fixes and apply updates as released

Patch Information

Refer to the Dormakaba Security Advisory and the SEC Consult Advisory for dormakaba for current patch availability and version guidance. Apply vendor updates per dormakaba's release notes for the exos 9300 platform.

Workarounds

  • Block TCP/4000 at perimeter and internal firewalls except for explicitly authorized GUI hosts
  • Disable network exposure of FSMobilePhoneInterface.exe where the GUI runs on the same host as the service
  • Enforce VPN or zero-trust network access for any remote operator interaction with the exos 9300 GUI
bash
# Windows host firewall: restrict TCP/4000 to a trusted GUI subnet
netsh advfirewall firewall add rule name="exos9300-RPC-allow" \
  dir=in action=allow protocol=TCP localport=4000 \
  remoteip=10.10.20.0/24

netsh advfirewall firewall add rule name="exos9300-RPC-block" \
  dir=in action=block protocol=TCP localport=4000

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.