CVE-2025-59097 (GCVE-0-2025-59097)

Vulnerability from cvelistv5 – Published: 2026-01-26 10:04 – Updated: 2026-01-26 16:09
VLAI
Title
Unauthenticated SOAP API in dormakaba access manager
Summary
The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps. This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication: - Re-configure Access Managers (e.g. remove alarming system requirements) - Freely re-configure the inputs and outputs - Open all connected doors permanently - Open all doors for a defined time interval - Change the admin password - and many more Network level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-306 - Missing Authentication for Critical Function
  • CWE-1188 - Initialization of a Resource with an Insecure Default
Assigner
References
Impacted products
Vendor Product Version
dormakaba Access Manager 92xx-k5 Affected: 92xx-K5: All Versions
Create a notification for this product.
dormakaba Access Manager 92xx-k7 Affected: 92xx-K7: Older than BAME 06.00 must be configured
Create a notification for this product.
Credits
Clemens Stockenreitner, SEC Consult Vulnerability Lab Werner Schober, SEC Consult Vulnerability Lab
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59097",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-26T16:09:48.312965Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-26T16:09:59.007Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "product": "Access Manager 92xx-k5",
          "vendor": "dormakaba",
          "versions": [
            {
              "status": "affected",
              "version": "92xx-K5: All Versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Access Manager 92xx-k7",
          "vendor": "dormakaba",
          "versions": [
            {
              "status": "affected",
              "version": "92xx-K7: Older than BAME 06.00 must be configured"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Clemens Stockenreitner, SEC Consult Vulnerability Lab"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Werner Schober, SEC Consult Vulnerability Lab"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps.\u003cbr\u003e\u003cbr\u003eThis insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication:\u003cbr\u003e- Re-configure Access Managers (e.g. remove alarming system requirements)\u003cbr\u003e- Freely re-configure the inputs and outputs\u003cbr\u003e- Open all connected doors permanently\u003cbr\u003e- Open all doors for a defined time interval\u003cbr\u003e- Change the admin password\u003cbr\u003e- and many more\u003cbr\u003e\u003cbr\u003eNetwork level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet."
            }
          ],
          "value": "The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps.\n\nThis insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication:\n- Re-configure Access Managers (e.g. remove alarming system requirements)\n- Freely re-configure the inputs and outputs\n- Open all connected doors permanently\n- Open all doors for a defined time interval\n- Change the admin password\n- and many more\n\nNetwork level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-36",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-36: Using Unpublished Interfaces or Functionality"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.3,
            "baseSeverity": "CRITICAL",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-306",
              "description": "CWE-306: Missing Authentication for Critical Function",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-1188",
              "description": "CWE-1188: Initialization of a Resource with an Insecure Default",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-26T10:04:38.742Z",
        "orgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
        "shortName": "SEC-VLab"
      },
      "references": [
        {
          "tags": [
            "technical-description"
          ],
          "url": "https://r.sec-consult.com/dormakaba"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://r.sec-consult.com/dkaccess"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.dormakabagroup.com/en/security-advisories"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "It is highly recommended to encrypt the communication to the Access Manager 92xx K5 via IPSec. The Configuration is described in the device reference manual. It is also recommended to secure the used communication port from external access.\u003cbr\u003e\u003cbr\u003eTo encrypt the communication to the Access Manager 92xx K7, an mTLS connection can be set up. For new installations in combination with exos 4.4.x, HTTPS with self-signed certificates is activated by default. In existing installations, this must be configured manually. HTTPS with self-signed certificates can be configured at any time. The configuration is described in the device reference manual.  It is also recommended to secure or close the used communication port from external access."
            }
          ],
          "value": "It is highly recommended to encrypt the communication to the Access Manager 92xx K5 via IPSec. The Configuration is described in the device reference manual. It is also recommended to secure the used communication port from external access.\n\nTo encrypt the communication to the Access Manager 92xx K7, an mTLS connection can be set up. For new installations in combination with exos 4.4.x, HTTPS with self-signed certificates is activated by default. In existing installations, this must be configured manually. HTTPS with self-signed certificates can be configured at any time. The configuration is described in the device reference manual.  It is also recommended to secure or close the used communication port from external access."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Unauthenticated SOAP API in dormakaba access manager",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "551230f0-3615-47bd-b7cc-93e92e730bbf",
    "assignerShortName": "SEC-VLab",
    "cveId": "CVE-2025-59097",
    "datePublished": "2026-01-26T10:04:38.742Z",
    "dateReserved": "2025-09-09T07:52:56.383Z",
    "dateUpdated": "2026-01-26T16:09:59.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2025-59097",
      "date": "2026-07-02",
      "epss": "0.00523",
      "percentile": "0.40481"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-59097\",\"sourceIdentifier\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"published\":\"2026-01-26T10:16:07.293\",\"lastModified\":\"2026-06-17T09:45:32.767\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps.\\n\\nThis insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication:\\n- Re-configure Access Managers (e.g. remove alarming system requirements)\\n- Freely re-configure the inputs and outputs\\n- Open all connected doors permanently\\n- Open all doors for a defined time interval\\n- Change the admin password\\n- and many more\\n\\nNetwork level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet.\"},{\"lang\":\"es\",\"value\":\"La aplicaci\u00f3n exos 9300 puede utilizarse para configurar Access Managers (p. ej. 92xx, 9230 y 9290). La configuraci\u00f3n se realiza en una interfaz gr\u00e1fica de usuario en el servidor dormakaba exos. Tan pronto como se hace clic en el bot\u00f3n de guardar en exos 9300, toda la configuraci\u00f3n se env\u00eda al Access Manager seleccionado a trav\u00e9s de SOAP. La solicitud SOAP se env\u00eda sin autenticaci\u00f3n o autorizaci\u00f3n previa alguna por defecto. Aunque la autenticaci\u00f3n y la autorizaci\u00f3n pueden configurarse utilizando IPsec para dispositivos 92xx-K5 y mTLS para dispositivos 92xx-K7, no est\u00e1 habilitado por defecto y, por lo tanto, debe activarse con pasos adicionales.\\n\\nEste valor predeterminado inseguro permite a un atacante con acceso a nivel de red controlar completamente todo el entorno. Un atacante, por ejemplo, puede realizar f\u00e1cilmente las siguientes tareas sin autenticaci\u00f3n previa:\\n- Reconfigurar Access Managers (p. ej., eliminar requisitos de sistemas de alarma)\\n- Reconfigurar libremente las entradas y salidas\\n- Abrir todas las puertas conectadas permanentemente\\n- Abrir todas las puertas por un intervalo de tiempo definido\\n- Cambiar la contrase\u00f1a de administrador\\n- y muchos m\u00e1s\\n\\nEl acceso a nivel de red puede obtenerse debido a una segmentaci\u00f3n de red insuficiente, as\u00ed como a la falta de firewalls de LAN. Se ha identificado que los dispositivos con una configuraci\u00f3n insegura est\u00e1n directamente expuestos a internet.\"}],\"affected\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"affectedData\":[{\"vendor\":\"dormakaba\",\"product\":\"Access Manager 92xx-k5\",\"defaultStatus\":\"affected\",\"versions\":[{\"version\":\"92xx-K5: All Versions\",\"status\":\"affected\"}]},{\"vendor\":\"dormakaba\",\"product\":\"Access Manager 92xx-k7\",\"defaultStatus\":\"unaffected\",\"versions\":[{\"version\":\"92xx-K7: Older than BAME 06.00 must be configured\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.3,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"ssvcV203\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"ssvcData\":{\"timestamp\":\"2026-01-26T16:09:48.312965Z\",\"id\":\"CVE-2025-59097\",\"options\":[{\"exploitation\":\"none\"},{\"automatable\":\"yes\"},{\"technicalImpact\":\"total\"}],\"role\":\"CISA Coordinator\",\"version\":\"2.0.3\"}}]},\"weaknesses\":[{\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-306\"},{\"lang\":\"en\",\"value\":\"CWE-1188\"}]}],\"references\":[{\"url\":\"https://r.sec-consult.com/dkaccess\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"},{\"url\":\"https://r.sec-consult.com/dormakaba\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"},{\"url\":\"https://www.dormakabagroup.com/en/security-advisories\",\"source\":\"551230f0-3615-47bd-b7cc-93e92e730bbf\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59097\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-26T16:09:48.312965Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-26T16:09:54.467Z\"}}], \"cna\": {\"title\": \"Unauthenticated SOAP API in dormakaba access manager\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Clemens Stockenreitner, SEC Consult Vulnerability Lab\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Werner Schober, SEC Consult Vulnerability Lab\"}], \"impacts\": [{\"capecId\": \"CAPEC-36\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-36: Using Unpublished Interfaces or Functionality\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.3, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"dormakaba\", \"product\": \"Access Manager 92xx-k5\", \"versions\": [{\"status\": \"affected\", \"version\": \"92xx-K5: All Versions\"}], \"defaultStatus\": \"affected\"}, {\"vendor\": \"dormakaba\", \"product\": \"Access Manager 92xx-k7\", \"versions\": [{\"status\": \"affected\", \"version\": \"92xx-K7: Older than BAME 06.00 must be configured\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"It is highly recommended to encrypt the communication to the Access Manager 92xx K5 via IPSec. The Configuration is described in the device reference manual. It is also recommended to secure the used communication port from external access.\\n\\nTo encrypt the communication to the Access Manager 92xx K7, an mTLS connection can be set up. For new installations in combination with exos 4.4.x, HTTPS with self-signed certificates is activated by default. In existing installations, this must be configured manually. HTTPS with self-signed certificates can be configured at any time. The configuration is described in the device reference manual.  It is also recommended to secure or close the used communication port from external access.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"It is highly recommended to encrypt the communication to the Access Manager 92xx K5 via IPSec. The Configuration is described in the device reference manual. It is also recommended to secure the used communication port from external access.\u003cbr\u003e\u003cbr\u003eTo encrypt the communication to the Access Manager 92xx K7, an mTLS connection can be set up. For new installations in combination with exos 4.4.x, HTTPS with self-signed certificates is activated by default. In existing installations, this must be configured manually. HTTPS with self-signed certificates can be configured at any time. The configuration is described in the device reference manual.  It is also recommended to secure or close the used communication port from external access.\", \"base64\": false}]}], \"references\": [{\"url\": \"https://r.sec-consult.com/dormakaba\", \"tags\": [\"technical-description\"]}, {\"url\": \"https://r.sec-consult.com/dkaccess\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://www.dormakabagroup.com/en/security-advisories\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps.\\n\\nThis insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication:\\n- Re-configure Access Managers (e.g. remove alarming system requirements)\\n- Freely re-configure the inputs and outputs\\n- Open all connected doors permanently\\n- Open all doors for a defined time interval\\n- Change the admin password\\n- and many more\\n\\nNetwork level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps.\u003cbr\u003e\u003cbr\u003eThis insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication:\u003cbr\u003e- Re-configure Access Managers (e.g. remove alarming system requirements)\u003cbr\u003e- Freely re-configure the inputs and outputs\u003cbr\u003e- Open all connected doors permanently\u003cbr\u003e- Open all doors for a defined time interval\u003cbr\u003e- Change the admin password\u003cbr\u003e- and many more\u003cbr\u003e\u003cbr\u003eNetwork level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-306\", \"description\": \"CWE-306: Missing Authentication for Critical Function\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1188\", \"description\": \"CWE-1188: Initialization of a Resource with an Insecure Default\"}]}], \"providerMetadata\": {\"orgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"shortName\": \"SEC-VLab\", \"dateUpdated\": \"2026-01-26T10:04:38.742Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-59097\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-26T16:09:59.007Z\", \"dateReserved\": \"2025-09-09T07:52:56.383Z\", \"assignerOrgId\": \"551230f0-3615-47bd-b7cc-93e92e730bbf\", \"datePublished\": \"2026-01-26T10:04:38.742Z\", \"assignerShortName\": \"SEC-VLab\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…