CVE-2025-59091 CRITICAL

CVE-2025-59091: Hardcoded Legacy Accounts Allowing Control Over Access Managers in dormakaba Kaba exos 9300

Vendor Dormakaba
Product Kaba exos 9300
Weakness CWE-798 · Hardcoded credentials
Published January 26, 2026
Last update January 26, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically visualize open doors and alerts. However, controlling the Access Managers via this interface is also possible. To send and receive status information, authentication is necessary. The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands to open arbitrary doors.

Key dates

02Disclosure timeline

January 26, 2026 CVE published
January 26, 2026 Record updated