Access control systems: dormakaba fixes partly critical security vulnerabilities

The Swiss manufacturer of security and locking systems, dormakaba, has fixed several, partly critical, security vulnerabilities in its products. The fixes were preceded by a years-long reporting and improvement process. Attackers with network access to dormakaba management servers in companies could, among other things, exploit hardcoded credentials and easily accessible solder joints.

Sometimes, "responsible disclosure" to a manufacturer is quick and unproblematic: ideally, the problem report and the manufacturer's fix are only hours or days apart. But sometimes it takes longer, as was the case with dormakaba. As early as April 2024, almost two years ago, the security service provider SEC Consult contacted the company and reported twenty, partly critical, security vulnerabilities. After the Swiss group clarified internal responsibilities two weeks later, a year and a half of meetings and conferences began, at the end of which all vulnerabilities are now being published.

The security problems mainly relate to the Kaba exos 3000 products and the dormakaba Access Manager, professional solutions for access control for companies. These consist not only of software but also of hardware: the Access Manager, for example, is a black box that is installed in the control cabinet. Kaba exos 3000 is used wherever locking authorizations change frequently, for example, due to regular visitors.

Many security vulnerabilities, said a representative of the SEC Consult reporters to heise security, had already been fixed before the collective entry was published in the company blog. A dormakaba press spokesperson further qualifies: To exploit the vulnerabilities, an attacker would need prior access to the customer's network. "Overall, we are not aware of any cases where the identified vulnerabilities have been exploited," said the manufacturer.

Nevertheless, the list of security vulnerabilities is unsettling: it mentions hardcoded, weak passwords, unsecured APIs and RPC services (Application Programming Interface and Remote Procedure Call, respectively), and local privilege escalation. Some of the errors enabled "lock picking without using hands" – this title was chosen by the finders for their long blog article with details on all vulnerabilities.

Almost Two Dozen Vulnerabilities

The following vulnerabilities with high and critical severity in Kaba exos 9300 have been fixed:

• CVE-2025-59090 (CVSS 9.3 "critical"): Unsecured SOAP API, fixed in versions >= 4.4.0,
• CVE-2025-59091 (CVSS 9.3 "critical"): Hardcoded credentials for four user accounts, fixed in versions >= 4.4.1,
• CVE-2025-59092 (CVSS 8.7 "high"): RPC service without authentication, fixed from version 4.4.0,
• CVE-2025-59093 (CVSS 8.5 "high"): Insecure password creation with insufficient randomness, manual password update required,
• CVE-2025-59094 (CVSS 8.4 "high"): Local privilege escalation, can only be fixed manually.

In the "Access Manager 92xx k5/k7", several findings with high or critical severity were also made. Some are not fixable or only fixable through manual intervention – details are revealed in the SEC Consult blog article.

• CVE-2025-59097 (CVSS 9.3 "critical"): Unsecured SOAP API,
• CVE-2025-59103 (CVSS 9.2 "critical"): Hardcoded and inadequate passwords for the SSH service,
• CVE-2025-59108 (CVSS 9.2 "critical"): The default password for the web interface is "admin",
• CVS-2025-59099 (CVSS 8.8 "high"): Path manipulation allows downloading of arbitrary files,
• CVE-2025-59098 (CVSS 8.7 "high"): A debugging function leaks sensitive data,
• CVE-2025-59107 (CVSS 8.5 "high"): Static password for encrypted firmware ZIPs,
• CVE-2025-59104 (CVSS 7.0 "high"): Attackers with access to the device can access the unencrypted bootloader via a solder connection,
• CVE-2025-59105 (CVSS 7.0 "high"): The flash memory of the devices is not encrypted and could be read out after desoldering.

After all vulnerabilities were fixed, SEC Consult's security experts are left with a special kind of vulnerability report. "Such research is rare because these systems are almost never realistically accessible to independent testers, and that's precisely why it was particularly exciting to be able to review them holistically, from web components and infrastructure to reverse engineering and hardware disassembly," described security researcher Werner Schober.

And a dormakaba spokesperson explained why they took almost two years for bug fixes: "We have gradually closed the vulnerabilities over time via standard releases; this also includes field tests with selected customers."

(cku)