CVE-2025-59093 Overview
CVE-2025-59093 is a high-severity vulnerability affecting Dormakaba Exos 9300 access control systems. The vulnerability stems from insecure database password generation, where the password used to connect to the configured MSSQL server is derived from static random values concatenated with the hostname and a random string that can be read by any user from the Windows registry. This allows an attacker with local access to derive the database password and gain authenticated access to the central Exos 9300 database.
Critical Impact
Attackers can derive database credentials and gain unauthorized access to the Exos 9300 MSSQL database, enabling them to read sensitive data from most tables and perform updates and inserts into many tables as the Exos9300Common user.
Affected Products
- Dormakaba Exos 9300 access control system instances
- MSSQL database configurations connected to Exos 9300
Discovery Timeline
- 2026-01-26 - CVE-2025-59093 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-59093
Vulnerability Analysis
The vulnerability falls under CWE-656 (Reliance on Security Through Obscurity). The Exos 9300 system employs a flawed password generation mechanism that relies on predictable components rather than cryptographically secure random generation. The database password is constructed by concatenating static random values with the system hostname and a random string stored in the Windows registry.
Since the registry key containing the random string component is readable by any local user, an attacker with basic user-level access to the system can retrieve this value. Combined with knowledge of the static values used in the algorithm and the hostname (which is easily obtainable), an attacker can reconstruct the complete database password.
Once authenticated to the database, the attacker operates under the Exos9300Common user context, which has the ExosDialog and ExosDialogDotNet roles assigned. These roles provide extensive permissions including the ability to read data from most database tables and perform write operations (UPDATE and INSERT) on many tables.
Root Cause
The root cause is the reliance on a deterministic password derivation algorithm that uses predictable or accessible components. The design violates secure password management principles by:
- Using static random values that remain constant across installations
- Incorporating the hostname, which is publicly known information
- Storing the remaining random component in a registry location accessible to all local users
This approach assumes security through obscurity rather than implementing proper cryptographic key management practices.
Attack Vector
The attack requires local access to the system. An attacker must:
- Obtain local user access to a machine running the Exos 9300 software
- Read the random string component from the Windows registry
- Obtain the system hostname
- Apply the known password derivation algorithm using the static values
- Connect to the MSSQL server using the derived credentials as Exos9300Common
The vulnerability mechanism relies on the predictable nature of the password derivation. The attacker queries the registry for the stored random component, combines it with the static seed values and hostname using the known algorithm, and produces valid database credentials. For complete technical details, refer to the SEC Consult Security Advisory.
Detection Methods for CVE-2025-59093
Indicators of Compromise
- Unexpected registry access patterns to Exos 9300 configuration keys by non-service accounts
- Anomalous database connections to the Exos 9300 MSSQL database from unexpected user accounts or workstations
- Unusual read queries against sensitive tables in the Exos 9300 database
- Database INSERT or UPDATE operations occurring outside normal operational hours or patterns
Detection Strategies
- Monitor Windows Security Event Log for registry access events (Event ID 4663) targeting Exos 9300 registry keys
- Configure MSSQL auditing to log all connections and queries made by the Exos9300Common user
- Implement database activity monitoring to detect bulk data extraction or unauthorized modifications
- Deploy endpoint detection to alert on processes reading specific registry paths associated with Exos 9300
Monitoring Recommendations
- Enable verbose logging on the MSSQL server hosting the Exos 9300 database
- Configure alerts for database connections from non-standard source IPs or hosts
- Implement file integrity monitoring on Exos 9300 installation directories
- Review database audit logs regularly for signs of enumeration or data exfiltration
How to Mitigate CVE-2025-59093
Immediate Actions Required
- Restrict network access to the MSSQL server hosting Exos 9300 data to only authorized application servers
- Implement Windows registry ACLs to restrict read access to Exos 9300 configuration keys to only required service accounts
- Review and audit database access permissions for the Exos9300Common user and associated roles
- Enable SQL Server authentication auditing and monitor for suspicious connection patterns
Patch Information
Consult the Dormakaba Security Advisories page for official patch information and updated software versions that address this vulnerability. Organizations should contact Dormakaba support to obtain the latest security updates for their Exos 9300 installations.
Workarounds
- Implement network segmentation to isolate the MSSQL database server from general user networks
- Apply the principle of least privilege to the Exos9300Common database user by reviewing and restricting assigned roles
- Deploy database firewall solutions to restrict SQL query types and patterns
- Consider implementing additional authentication layers such as SQL Server Always Encrypted for sensitive columns
# Example: Restrict registry key permissions (PowerShell)
$acl = Get-Acl "HKLM:\SOFTWARE\Dormakaba\Exos9300"
$acl.SetAccessRuleProtection($true, $false)
# Configure appropriate access rules for service accounts only
Set-Acl "HKLM:\SOFTWARE\Dormakaba\Exos9300" $acl
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
