CVE-2025-59096 Overview
CVE-2025-59096 is a hardcoded credentials vulnerability affecting the Dormakaba Kaba 9300 Administration application (U9ExosAdmin.exe). The default password for the extended admin user mode is hard-coded in multiple locations within the application and is also documented in locally stored user documentation, making it trivially accessible to attackers with local access.
Critical Impact
Attackers with local access can leverage the hard-coded credentials to gain extended administrative privileges within the Kaba 9300 Administration application, potentially compromising physical access control systems.
Affected Products
- Dormakaba Kaba 9300 Administration (U9ExosAdmin.exe)
Discovery Timeline
- 2026-01-26 - CVE CVE-2025-59096 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-59096
Vulnerability Analysis
This vulnerability stems from CWE-798 (Use of Hard-coded Credentials), a critical security weakness where authentication credentials are embedded directly into the application code or configuration files. In the case of CVE-2025-59096, the Dormakaba Kaba 9300 Administration application contains a hard-coded default password for the extended admin user mode that is present in multiple locations throughout the codebase and accompanying documentation.
The attack requires local access to exploit, meaning an attacker must already have some level of access to the system where the application is installed. However, once local access is obtained, the attacker can easily locate the hard-coded credentials either by examining the application binary, configuration files, or the locally stored user documentation.
Root Cause
The root cause of this vulnerability is the insecure practice of embedding static credentials within software applications. Rather than implementing a secure credential management system that enforces unique, user-defined passwords or integrates with enterprise identity management solutions, the developers chose to include a default password that remains constant across all installations. This pattern is particularly concerning in physical access control systems where security is paramount.
Attack Vector
The attack vector for CVE-2025-59096 requires local access to the system. An attacker who has gained physical or remote access to a workstation running the Kaba 9300 Administration software can extract the hard-coded password from the application binary, configuration files, or user documentation. With these credentials, the attacker can authenticate to the extended admin mode and potentially modify access control configurations, user permissions, or audit logs.
The exploitation path typically involves:
- Gaining local access to a system with U9ExosAdmin.exe installed
- Locating the hard-coded password in the application or documentation
- Using the credentials to authenticate as the extended admin user
- Leveraging elevated privileges to manipulate the access control system
Detection Methods for CVE-2025-59096
Indicators of Compromise
- Unexpected logins to the extended admin user mode in U9ExosAdmin.exe
- Modification of access control configurations without authorized change requests
- Access to user documentation or application binaries by unauthorized users
- Anomalous administrative activity within the Kaba 9300 Administration interface
Detection Strategies
- Monitor authentication logs for the Kaba 9300 Administration application for suspicious login patterns
- Implement file integrity monitoring on U9ExosAdmin.exe and associated configuration files
- Deploy endpoint detection and response (EDR) solutions to detect unauthorized access attempts
- Audit user documentation access and flag attempts to retrieve sensitive installation guides
Monitoring Recommendations
- Enable detailed logging for all administrative actions within the Kaba 9300 system
- Configure SIEM rules to alert on extended admin mode authentication events
- Implement user behavior analytics to detect anomalous access patterns
- Review access control configuration changes on a regular basis for unauthorized modifications
How to Mitigate CVE-2025-59096
Immediate Actions Required
- Change the default password for the extended admin user mode immediately upon installation
- Restrict local access to systems running U9ExosAdmin.exe to authorized personnel only
- Remove or secure locally stored user documentation containing credential information
- Implement network segmentation to isolate access control management systems
- Review and audit all accounts with access to the Kaba 9300 Administration interface
Patch Information
Organizations should consult the Dormakaba Security Advisory page for the latest security updates and patching guidance. Additional technical analysis is available from SEC Consult.
Workarounds
- Implement strong, unique passwords to replace default credentials immediately after deployment
- Apply principle of least privilege by restricting access to the extended admin mode
- Store user documentation in secure, access-controlled locations rather than locally on workstations
- Consider implementing multi-factor authentication for administrative access where supported
- Conduct regular security audits to identify and remediate any systems using default credentials
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
