Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-59093

CVE-2025-59093: Exos 9300 Auth Bypass Vulnerability

CVE-2025-59093 is an authentication bypass vulnerability in Exos 9300 that exposes predictable database passwords, allowing unauthorized database access. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2025-59093 Overview

CVE-2025-59093 is a high-severity vulnerability affecting Dormakaba Exos 9300 access control systems. The vulnerability stems from insecure database password generation, where the password used to connect to the configured MSSQL server is derived from static random values concatenated with the hostname and a random string that can be read by any user from the Windows registry. This allows an attacker with local access to derive the database password and gain authenticated access to the central Exos 9300 database.

Critical Impact

Attackers can derive database credentials and gain unauthorized access to the Exos 9300 MSSQL database, enabling them to read sensitive data from most tables and perform updates and inserts into many tables as the Exos9300Common user.

Affected Products

  • Dormakaba Exos 9300 access control system instances
  • MSSQL database configurations connected to Exos 9300

Discovery Timeline

  • 2026-01-26 - CVE-2025-59093 published to NVD
  • 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2025-59093

Vulnerability Analysis

The vulnerability falls under CWE-656 (Reliance on Security Through Obscurity). The Exos 9300 system employs a flawed password generation mechanism that relies on predictable components rather than cryptographically secure random generation. The database password is constructed by concatenating static random values with the system hostname and a random string stored in the Windows registry.

Since the registry key containing the random string component is readable by any local user, an attacker with basic user-level access to the system can retrieve this value. Combined with knowledge of the static values used in the algorithm and the hostname (which is easily obtainable), an attacker can reconstruct the complete database password.

Once authenticated to the database, the attacker operates under the Exos9300Common user context, which has the ExosDialog and ExosDialogDotNet roles assigned. These roles provide extensive permissions including the ability to read data from most database tables and perform write operations (UPDATE and INSERT) on many tables.

Root Cause

The root cause is the reliance on a deterministic password derivation algorithm that uses predictable or accessible components. The design violates secure password management principles by:

  1. Using static random values that remain constant across installations
  2. Incorporating the hostname, which is publicly known information
  3. Storing the remaining random component in a registry location accessible to all local users

This approach assumes security through obscurity rather than implementing proper cryptographic key management practices.

Attack Vector

The attack requires local access to the system. An attacker must:

  1. Obtain local user access to a machine running the Exos 9300 software
  2. Read the random string component from the Windows registry
  3. Obtain the system hostname
  4. Apply the known password derivation algorithm using the static values
  5. Connect to the MSSQL server using the derived credentials as Exos9300Common

The vulnerability mechanism relies on the predictable nature of the password derivation. The attacker queries the registry for the stored random component, combines it with the static seed values and hostname using the known algorithm, and produces valid database credentials. For complete technical details, refer to the SEC Consult Security Advisory.

Detection Methods for CVE-2025-59093

Indicators of Compromise

  • Unexpected registry access patterns to Exos 9300 configuration keys by non-service accounts
  • Anomalous database connections to the Exos 9300 MSSQL database from unexpected user accounts or workstations
  • Unusual read queries against sensitive tables in the Exos 9300 database
  • Database INSERT or UPDATE operations occurring outside normal operational hours or patterns

Detection Strategies

  • Monitor Windows Security Event Log for registry access events (Event ID 4663) targeting Exos 9300 registry keys
  • Configure MSSQL auditing to log all connections and queries made by the Exos9300Common user
  • Implement database activity monitoring to detect bulk data extraction or unauthorized modifications
  • Deploy endpoint detection to alert on processes reading specific registry paths associated with Exos 9300

Monitoring Recommendations

  • Enable verbose logging on the MSSQL server hosting the Exos 9300 database
  • Configure alerts for database connections from non-standard source IPs or hosts
  • Implement file integrity monitoring on Exos 9300 installation directories
  • Review database audit logs regularly for signs of enumeration or data exfiltration

How to Mitigate CVE-2025-59093

Immediate Actions Required

  • Restrict network access to the MSSQL server hosting Exos 9300 data to only authorized application servers
  • Implement Windows registry ACLs to restrict read access to Exos 9300 configuration keys to only required service accounts
  • Review and audit database access permissions for the Exos9300Common user and associated roles
  • Enable SQL Server authentication auditing and monitor for suspicious connection patterns

Patch Information

Consult the Dormakaba Security Advisories page for official patch information and updated software versions that address this vulnerability. Organizations should contact Dormakaba support to obtain the latest security updates for their Exos 9300 installations.

Workarounds

  • Implement network segmentation to isolate the MSSQL database server from general user networks
  • Apply the principle of least privilege to the Exos9300Common database user by reviewing and restricting assigned roles
  • Deploy database firewall solutions to restrict SQL query types and patterns
  • Consider implementing additional authentication layers such as SQL Server Always Encrypted for sensitive columns
bash
# Example: Restrict registry key permissions (PowerShell)
$acl = Get-Acl "HKLM:\SOFTWARE\Dormakaba\Exos9300"
$acl.SetAccessRuleProtection($true, $false)
# Configure appropriate access rules for service accounts only
Set-Acl "HKLM:\SOFTWARE\Dormakaba\Exos9300" $acl

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne