The dormakaba Kaba exos 9300 server exposes a SOAP API on TCP port 8002 that does not enforce any authentication, constituting a Missing Authentication for Critical Function vulnerability (CWE-306). This flaw allows any attacker with network access to the device to send arbitrary SOAP requests without credentials. Exploitable functions include the creation of arbitrary access log events, which could be used to manipulate or falsify security logs, and the querying of two-factor authentication (2FA) PINs associated with enrolled chip cards, potentially compromising multi-factor authentication mechanisms. The vulnerability affects all versions prior to 4.4.0, with no official patches currently available, necessitating manual mitigation steps. The CVSS 4.0 score of 9.3 reflects the vulnerability’s critical nature: it requires no privileges, no user interaction, and can be exploited remotely over the network, impacting confidentiality and integrity severely. The exposure of 2FA PINs undermines the security of physical access controls, potentially allowing unauthorized physical entry. The ability to forge access logs further complicates detection and forensic analysis. This vulnerability is classified under CWE-306 (Missing Authentication) and CWE-1188 (Improper Access Control), highlighting fundamental security design flaws in the product’s API. Given dormakaba’s widespread use in European enterprises and critical infrastructure, the risk is substantial. No known exploits are currently reported in the wild, but the ease of exploitation and critical impact warrant urgent attention.

European organizations using dormakaba Kaba exos 9300 for physical access control face severe risks including unauthorized physical access, compromise of multi-factor authentication credentials, and manipulation of security logs. This can lead to breaches of sensitive facilities, theft of intellectual property, and disruption of critical infrastructure operations. The exposure of 2FA PINs effectively nullifies the protection offered by chip card authentication, increasing the likelihood of insider threats or external attackers gaining unauthorized entry. Log manipulation impairs incident detection and response capabilities, potentially allowing attackers to operate undetected for extended periods. Industries such as finance, government, healthcare, and manufacturing, which rely heavily on secure physical access controls, are particularly vulnerable. The lack of authentication on a critical API also raises concerns about compliance with European data protection and security regulations, potentially leading to legal and reputational consequences. The absence of a patch means organizations must rely on network-level mitigations, which may be incomplete or difficult to enforce in complex environments.

Until an official patch is released, organizations should implement strict network segmentation to isolate the Kaba exos 9300 servers from untrusted networks, allowing access only from trusted management hosts. Employ firewall rules to block all inbound traffic to port 8002 except from authorized IP addresses. Monitor network traffic to and from the exos 9300 devices for unusual or unauthorized SOAP requests, using intrusion detection systems with custom signatures if possible. Conduct regular audits of access logs to detect anomalies that may indicate exploitation attempts. Disable or restrict the SOAP API if feasible, or configure the device to limit API exposure. Implement compensating controls such as enhanced physical security measures and additional authentication layers for critical access points. Engage with dormakaba support to obtain guidance on manual mitigation steps and timelines for patch availability. Maintain up-to-date asset inventories to identify all affected devices and prioritize remediation efforts. Finally, educate security teams and physical security personnel about the risks and signs of exploitation related to this vulnerability.