{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-19T17:51:20.978","vulnerabilities":[{"cve":{"id":"CVE-2025-59097","sourceIdentifier":"551230f0-3615-47bd-b7cc-93e92e730bbf","published":"2026-01-26T10:16:07.293","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps.\n\nThis insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication:\n- Re-configure Access Managers (e.g. remove alarming system requirements)\n- Freely re-configure the inputs and outputs\n- Open all connected doors permanently\n- Open all doors for a defined time interval\n- Change the admin password\n- and many more\n\nNetwork level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet."},{"lang":"es","value":"La aplicación exos 9300 puede utilizarse para configurar Access Managers (p. ej. 92xx, 9230 y 9290). La configuración se realiza en una interfaz gráfica de usuario en el servidor dormakaba exos. Tan pronto como se hace clic en el botón de guardar en exos 9300, toda la configuración se envía al Access Manager seleccionado a través de SOAP. La solicitud SOAP se envía sin autenticación o autorización previa alguna por defecto. Aunque la autenticación y la autorización pueden configurarse utilizando IPsec para dispositivos 92xx-K5 y mTLS para dispositivos 92xx-K7, no está habilitado por defecto y, por lo tanto, debe activarse con pasos adicionales.\n\nEste valor predeterminado inseguro permite a un atacante con acceso a nivel de red controlar completamente todo el entorno. Un atacante, por ejemplo, puede realizar fácilmente las siguientes tareas sin autenticación previa:\n- Reconfigurar Access Managers (p. ej., eliminar requisitos de sistemas de alarma)\n- Reconfigurar libremente las entradas y salidas\n- Abrir todas las puertas conectadas permanentemente\n- Abrir todas las puertas por un intervalo de tiempo definido\n- Cambiar la contraseña de administrador\n- y muchos más\n\nEl acceso a nivel de red puede obtenerse debido a una segmentación de red insuficiente, así como a la falta de firewalls de LAN. Se ha identificado que los dispositivos con una configuración insegura están directamente expuestos a internet."}],"metrics":{"cvssMetricV40":[{"source":"551230f0-3615-47bd-b7cc-93e92e730bbf","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":9.3,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"HIGH","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}]},"weaknesses":[{"source":"551230f0-3615-47bd-b7cc-93e92e730bbf","type":"Secondary","description":[{"lang":"en","value":"CWE-306"},{"lang":"en","value":"CWE-1188"}]}],"references":[{"url":"https://r.sec-consult.com/dkaccess","source":"551230f0-3615-47bd-b7cc-93e92e730bbf"},{"url":"https://r.sec-consult.com/dormakaba","source":"551230f0-3615-47bd-b7cc-93e92e730bbf"},{"url":"https://www.dormakabagroup.com/en/security-advisories","source":"551230f0-3615-47bd-b7cc-93e92e730bbf"}]}}]}