The vulnerability CVE-2025-59092 affects dormakaba's Kaba exos 9300 access control system versions below 4.4.0. The core issue lies in an RPC service running on port 4000, executed by the FSMobilePhoneInterface.exe process, which is responsible for interprocess communication between various services and the Kaba exos 9300 GUI. This service handles status information related to Access Managers, such as door contact states. Critically, this RPC service does not require any authentication, allowing unauthenticated remote actors to send arbitrary status information. This flaw is categorized under CWE-798, indicating the use of hard-coded credentials or insufficient authentication mechanisms. Exploiting this vulnerability enables an attacker to manipulate the reported status of physical access points, potentially masking unauthorized access or triggering false alarms. The vulnerability is remotely exploitable over the network without any user interaction or privileges, increasing its risk profile. The CVSS 4.0 base score of 8.7 reflects the ease of exploitation combined with the high impact on system integrity. While no public exploits are currently known, the vulnerability could be leveraged to undermine physical security controls, disrupt operations, or facilitate further attacks within a compromised environment. The lack of authentication and the exposure of the RPC service on a network port make this a critical concern for organizations using the affected product. No patches are currently linked, emphasizing the need for vendor engagement and interim mitigations.

For European organizations, this vulnerability threatens the integrity and reliability of physical access control systems, which are often integrated into broader security and operational technology environments. Successful exploitation could allow attackers to falsify door status information, potentially enabling unauthorized physical access or concealing intrusions. This undermines trust in security monitoring and may lead to breaches of sensitive facilities, including data centers, government buildings, and critical infrastructure. The disruption or manipulation of access control systems can also cause operational downtime and complicate incident response efforts. Given the widespread use of dormakaba products in Europe, especially in sectors such as finance, healthcare, transportation, and public administration, the impact could be significant. Attackers could leverage this vulnerability as a foothold for lateral movement or to facilitate physical theft, espionage, or sabotage. The lack of authentication and remote exploitability increase the risk of automated or opportunistic attacks, potentially affecting multiple organizations simultaneously.

European organizations should immediately assess their deployment of dormakaba Kaba exos 9300 systems and verify the version in use, prioritizing upgrades to version 4.4.0 or later once available. In the absence of an official patch, organizations should implement strict network segmentation to isolate the affected devices from untrusted networks, restricting access to port 4000 to only authorized management stations. Deploying network-level access controls such as firewalls or VLANs can reduce exposure. Monitoring network traffic for unusual activity targeting port 4000 or the FSMobilePhoneInterface.exe process can help detect exploitation attempts. Additionally, organizations should review physical security logs for anomalies that could indicate manipulation. Vendor engagement is critical to obtain patches or workarounds and to confirm remediation timelines. Where possible, implementing multi-factor authentication for management interfaces and enhancing logging and alerting around access control systems will improve detection and response capabilities. Finally, conducting regular security audits and penetration tests focusing on physical security integration points will help identify residual risks.