The vulnerability CVE-2025-59091 affects the dormakaba Kaba exos 9300 access control system, specifically its datapoint server component that listens on TCP ports 1004 and 1005. This server facilitates communication between Access Managers and the graphical interface used to monitor door status and alerts. The core issue is the presence of hard-coded credentials embedded within the application for four distinct user accounts. These credentials allow unauthenticated attackers to log in remotely without any user interaction or prior authentication. Once authenticated using these hard-coded credentials, an attacker can both receive sensitive status information and send commands to the Access Managers, including commands to open any door controlled by the system. This represents a severe compromise of physical security controls. The vulnerability affects all versions prior to 4.4.1, and no official patches are currently available, necessitating manual mitigations. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges or user interaction required (PR:N/UI:N), and high impact on confidentiality and integrity (VC:H/VI:H), resulting in a critical severity score of 9.3. Exploitation could allow attackers to bypass physical security, potentially leading to unauthorized entry into sensitive facilities, theft, or sabotage. Given the critical nature of physical access control systems, this vulnerability poses a significant risk to organizations relying on dormakaba's solutions.

For European organizations, the impact of CVE-2025-59091 is substantial. The ability to remotely authenticate and send commands to open doors undermines the fundamental security premise of physical access control systems. This can lead to unauthorized physical access to secure areas, potentially resulting in theft of intellectual property, sensitive data, or critical infrastructure sabotage. Facilities such as government buildings, data centers, transportation hubs, and corporate offices are at heightened risk. The breach of physical security can also facilitate further cyber intrusions by providing attackers physical access to network equipment or endpoints. Additionally, the exposure of status information could allow attackers to monitor security posture and plan attacks accordingly. The lack of a patch and the ease of exploitation increase the urgency for European organizations to implement compensating controls. The reputational damage and regulatory consequences, especially under GDPR and other data protection laws, could be severe if physical breaches lead to data compromise or safety incidents.

Since no official patch is currently available for versions prior to 4.4.1, European organizations should implement the following specific mitigations: 1) Network segmentation: Isolate the Kaba exos 9300 datapoint servers from public and untrusted networks, restricting access to only trusted management networks. 2) Firewall rules: Block inbound traffic to ports 1004 and 1005 from unauthorized sources, allowing only known and trusted IP addresses. 3) Monitor logs and network traffic for unusual authentication attempts or commands sent to the datapoint server. 4) Physically secure the devices hosting the datapoint servers to prevent local exploitation. 5) Engage with dormakaba support to obtain guidance on manual mitigation steps or interim firmware updates. 6) Plan and prioritize upgrade to version 4.4.1 or later once available. 7) Conduct security awareness training for staff to recognize and report suspicious physical or network activity related to access control systems. 8) Consider deploying additional physical security controls such as CCTV or intrusion detection to compensate for potential access control weaknesses.