CVE-2025-59095: EXOS 9300 Information Disclosure Flaw

CVE-2025-59095 Overview

CVE-2025-59095 affects the dormakaba EXOS 9300 access management platform. The product's program libraries (DLLs) and binaries contain multiple hard-coded secrets [CWE-798]. The EncryptAndDecrypt function in Kaba.EXOS.common.dll applies a static XOR routine using a cryptographic key derived from the company founder's name. The application uses this routine to protect sensitive data such as user PINs before writing them to the backing MSSQL database. An authenticated local actor with access to the binaries or database contents can recover the static key and decrypt protected values.

Critical Impact
Recovery of the embedded key allows decryption of user PINs and other secrets stored in the EXOS 9300 MSSQL database, undermining authentication confidentiality.

Affected Products

dormakaba EXOS 9300 access management software
Kaba.EXOS.common.dll library
Associated EXOS 9300 binaries shipping the EncryptAndDecrypt routine

Discovery Timeline

2026-01-26 - CVE-2025-59095 published to NVD
2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-59095

Vulnerability Analysis

The vulnerability is a hard-coded cryptographic key weakness classified under [CWE-798]. The EncryptAndDecrypt function inside Kaba.EXOS.common.dll implements a custom XOR transformation rather than a vetted cryptographic primitive. The routine processes each character of the plaintext against a static key string embedded directly in the assembly. Because the key never rotates and ships with every installation, every EXOS 9300 deployment shares the same secret material.

The encryption protects high-value records, including user PINs persisted in the MSSQL backend. An attacker with read access to the database tables, backups, or memory dumps can reverse the XOR operation using the recovered key. The CVSS 4.0 vector identifies the attack surface as local with low privileges required and high confidentiality impact, with no integrity or availability consequences.

Root Cause

The root cause is the embedding of a static cryptographic key inside shipped binaries and the use of XOR as a substitute for an authenticated cipher. Static analysis of Kaba.EXOS.common.dll exposes the key string as a literal, and no key derivation, salting, or rotation is performed. Secrets recovered from one installation decrypt data from any other installation running the same release.

Attack Vector

Exploitation requires local access with a valid low-privileged account on a system running EXOS 9300 or access to its database. The attacker extracts the static key from the DLL through reverse engineering, then applies the inverse XOR operation against PIN ciphertext retrieved from the MSSQL database. No user interaction is required. Refer to the SEC Consult Advisory - dkexos and the Dormakaba Security Advisory for vendor-supplied technical details.

Detection Methods for CVE-2025-59095

Indicators of Compromise

Unauthorized read access to MSSQL tables holding EXOS 9300 user credential material or PIN ciphertext columns.
Presence of reverse-engineering tooling (debuggers, decompilers) on EXOS 9300 application servers.
File access events targeting Kaba.EXOS.common.dll from non-service accounts or unusual processes.

Detection Strategies

Audit MSSQL query logs for SELECT statements against tables containing PIN or credential fields, especially from interactive sessions.
Monitor process execution on EXOS 9300 hosts for binary inspection tools such as dnSpy, ILSpy, or ProcDump.
Hash and inventory Kaba.EXOS.common.dll across deployments to identify tampering or unauthorized copies on file shares.

Monitoring Recommendations

Enable SQL Server audit specifications for the EXOS database and forward events to a centralized log platform.
Track Windows file access auditing (Event ID 4663) for EXOS installation directories.
Alert on outbound transfer of EXOS DLLs or database backup files from production access-control servers.

How to Mitigate CVE-2025-59095

Immediate Actions Required

Restrict local and database access to EXOS 9300 systems to the minimum set of administrators and service accounts.
Rotate all user PINs and operator credentials once a vendor-supplied fix is applied, since prior ciphertext should be treated as compromised.
Isolate EXOS 9300 servers and their MSSQL backend on a segmented management network.

Patch Information

Consult the Dormakaba Security Advisory and the SEC Consult Advisory - dormakaba for fixed release information and remediation guidance. Apply the vendor update that replaces the static XOR routine with an industry-standard authenticated encryption scheme and per-installation key material.

Workarounds

Enforce Transparent Data Encryption (TDE) on the EXOS MSSQL database to protect backup and at-rest data from offline key recovery.
Restrict file system permissions on EXOS installation directories so only required service accounts can read Kaba.EXOS.common.dll.
Disable interactive logons on EXOS application servers and require jump-host access with full session logging.

bash

# Configuration example: restrict ACLs on the EXOS install directory (Windows)
icacls "C:\Program Files\Kaba\EXOS" /inheritance:r
icacls "C:\Program Files\Kaba\EXOS" /grant:r "SYSTEM:(OI)(CI)F" "Administrators:(OI)(CI)F" "EXOSService:(OI)(CI)RX"
icacls "C:\Program Files\Kaba\EXOS" /remove "Users" "Authenticated Users"