CVE-2025-59092 Overview
CVE-2025-59092 affects the Kaba exos 9300 access control system from dormakaba. An RPC (Remote Procedure Call) service runs on TCP port 4000 via the FSMobilePhoneInterface.exe process. The service handles interprocess communication between backend services and the Kaba exos 9300 GUI, including status information about Access Managers and door contacts.
The service requires no authentication for inbound connections. An unauthenticated network attacker can send arbitrary status information about door contacts and related access control components. The weakness is classified under [CWE-798: Use of Hard-coded Credentials].
Critical Impact
Unauthenticated attackers with network access to TCP port 4000 can inject falsified door contact and Access Manager status data, compromising the integrity of physical access control monitoring.
Affected Products
- dormakaba Kaba exos 9300 access control system
- FSMobilePhoneInterface.exe RPC service component
- Kaba exos 9300 GUI clients consuming RPC status data
Discovery Timeline
- 2026-01-26 - CVE-2025-59092 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-59092
Vulnerability Analysis
The Kaba exos 9300 platform manages physical access infrastructure including doors, readers, and Access Managers. The FSMobilePhoneInterface.exe process exposes an RPC endpoint on TCP port 4000 used for interprocess communication between server-side services and the operator GUI.
The service transmits status information such as door contact states and Access Manager health. A remote attacker reaching port 4000 can interact with the RPC interface without supplying credentials. The attacker can submit arbitrary status messages that the consuming GUI and dependent services will process as authentic telemetry.
The consequence is integrity loss in the access control monitoring chain. Falsified status messages can mask real-world events, simulate non-existent door states, or mislead operators monitoring the GUI. The CVSS vector indicates a network attack path with no privileges or user interaction required and a high impact to integrity.
Root Cause
The RPC service performs no authentication or authorization checks on incoming requests. The protocol design assumes that the endpoint is consumed only by trusted local components. Exposing port 4000 on a reachable network interface removes the only implicit trust boundary.
Attack Vector
An attacker establishes a TCP connection to port 4000 on a host running FSMobilePhoneInterface.exe. The attacker crafts RPC messages matching the service's expected status payload format. The service accepts and propagates the data to GUI consumers without validating the sender's identity or session state. No prior credential theft, social engineering, or user interaction is required.
The vulnerability mechanism is described in the SEC Consult Advisory for dkexos and the Dormakaba Security Advisory.
Detection Methods for CVE-2025-59092
Indicators of Compromise
- Unexpected inbound TCP connections to port 4000 on hosts running FSMobilePhoneInterface.exe from sources outside the trusted management subnet
- GUI displays of door contact or Access Manager status that contradict physical state or controller logs
- RPC traffic patterns to port 4000 originating from non-GUI client hosts
Detection Strategies
- Inventory all systems running the Kaba exos 9300 stack and enumerate processes listening on TCP port 4000
- Capture and baseline normal RPC traffic between FSMobilePhoneInterface.exe and authorized GUI workstations
- Correlate GUI-reported status events with controller-side audit logs to surface integrity mismatches
Monitoring Recommendations
- Alert on any TCP/4000 connection originating outside the documented management VLAN
- Forward Windows process and network telemetry from exos 9300 servers to a centralized log platform for retention and analysis
- Monitor for repeated short-lived connections to port 4000, which may indicate enumeration or status injection attempts
How to Mitigate CVE-2025-59092
Immediate Actions Required
- Restrict TCP/4000 reachability to authorized GUI workstation IP addresses using host firewall rules or network ACLs
- Place exos 9300 servers on a dedicated, segmented management network isolated from general user and operational technology traffic
- Review the dormakaba security advisories page for vendor-supplied fixes and apply updates as released
Patch Information
Refer to the Dormakaba Security Advisory and the SEC Consult Advisory for dormakaba for current patch availability and version guidance. Apply vendor updates per dormakaba's release notes for the exos 9300 platform.
Workarounds
- Block TCP/4000 at perimeter and internal firewalls except for explicitly authorized GUI hosts
- Disable network exposure of FSMobilePhoneInterface.exe where the GUI runs on the same host as the service
- Enforce VPN or zero-trust network access for any remote operator interaction with the exos 9300 GUI
# Windows host firewall: restrict TCP/4000 to a trusted GUI subnet
netsh advfirewall firewall add rule name="exos9300-RPC-allow" \
dir=in action=allow protocol=TCP localport=4000 \
remoteip=10.10.20.0/24
netsh advfirewall firewall add rule name="exos9300-RPC-block" \
dir=in action=block protocol=TCP localport=4000
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

