CVE-2025-59094 Overview
A local privilege escalation vulnerability has been identified in the Kaba exos 9300 System management application (d9sysdef.exe). This security flaw allows an attacker with local access and high privileges to specify an arbitrary executable along with a scheduled execution time, resulting in the specified executable running with SYSTEM privileges. This represents a significant risk for organizations using the affected access control system, as it could allow malicious actors to gain complete control over the host system.
Critical Impact
Attackers with local access can escalate privileges to SYSTEM level by scheduling arbitrary executables, potentially leading to complete system compromise.
Affected Products
- Kaba exos 9300 System management application (d9sysdef.exe)
- Dormakaba access control systems utilizing the exos 9300 platform
Discovery Timeline
- 2026-01-26 - CVE-2025-59094 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-59094
Vulnerability Analysis
This vulnerability is classified under CWE-269 (Improper Privilege Management), indicating a fundamental flaw in how the application handles privilege assignment and execution contexts. The Kaba exos 9300 System management application contains functionality that allows users to schedule executable files for automatic execution. The critical security issue arises from the fact that these scheduled executables run with SYSTEM privileges, the highest privilege level on Windows systems, regardless of the user's actual permission level.
The local attack vector means an attacker must have some form of access to the target system, though the ability to escalate to SYSTEM privileges makes this a significant security concern for enterprise environments where the exos 9300 access control system is deployed.
Root Cause
The root cause of this vulnerability lies in improper privilege management within the d9sysdef.exe application. The application fails to properly validate or restrict the privilege context under which scheduled executables are launched. By allowing arbitrary executables to be specified and subsequently executed with SYSTEM privileges, the application effectively provides a privilege escalation mechanism to any user who can interact with the scheduling functionality.
This design flaw bypasses standard Windows security controls that would normally prevent unauthorized privilege escalation, as the application itself is already running with elevated privileges and passes those privileges to the scheduled executable.
Attack Vector
The attack requires local access to a system running the Kaba exos 9300 System management application. An attacker with appropriate access to the application can:
- Access the system management interface within d9sysdef.exe
- Navigate to the scheduling functionality
- Specify a malicious executable (such as a reverse shell or persistence mechanism)
- Configure the weekday and start time for execution
- Wait for the scheduled time when the malicious executable runs with SYSTEM privileges
The vulnerability exploitation does not require complex attack chains or additional vulnerabilities. Once the malicious executable runs with SYSTEM privileges, the attacker has full control over the target system, enabling data exfiltration, lateral movement, installation of persistent backdoors, or complete system destruction.
Detection Methods for CVE-2025-59094
Indicators of Compromise
- Unexpected executables scheduled through the d9sysdef.exe application
- Processes spawned with SYSTEM privileges that originate from the Kaba exos 9300 scheduling functionality
- Unusual files appearing in directories accessible to the system management application
- Unexpected scheduled tasks or persistent mechanisms appearing on systems running the exos 9300 platform
Detection Strategies
- Monitor process creation events for child processes of d9sysdef.exe running with elevated privileges
- Implement file integrity monitoring on directories where the exos 9300 application stores scheduled executable configurations
- Deploy endpoint detection and response (EDR) solutions to identify suspicious privilege escalation patterns
- Review Windows Event Logs for Service Control Manager events indicating unexpected SYSTEM-level process launches
Monitoring Recommendations
- Enable detailed process auditing on systems running the Kaba exos 9300 System management application
- Configure alerts for any new executables scheduled through the application's management interface
- Implement behavioral analysis to detect anomalous execution patterns following scheduled task triggers
- Regularly audit the scheduled executables list within the exos 9300 application for unauthorized entries
How to Mitigate CVE-2025-59094
Immediate Actions Required
- Review and audit all currently scheduled executables within the Kaba exos 9300 System management application
- Restrict physical and remote access to systems running d9sysdef.exe to only authorized administrators
- Implement application whitelisting to prevent unauthorized executables from running on affected systems
- Monitor the Dormakaba Security Advisory page for official patches and updates
Patch Information
Organizations should consult the official Dormakaba security advisory for patch availability and installation instructions. Additional technical details regarding this vulnerability can be found in the SEC Consult security report and the related dormakaba advisory.
Workarounds
- Implement strict access controls limiting who can interact with the d9sysdef.exe application
- Deploy application control solutions to prevent execution of unauthorized binaries even when scheduled with elevated privileges
- Segment networks to isolate systems running the exos 9300 platform from general user access
- Consider disabling the scheduling functionality if not required for business operations until an official patch is available
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
