The vulnerability identified as CVE-2025-59093 affects all versions of dormakaba's Kaba exos 9300 access control system. The core issue stems from the system's reliance on security through obscurity (CWE-656) for database authentication. Specifically, the system generates the MSSQL database password by concatenating static random values with the hostname and a random string stored in the Windows registry. However, the registry key containing this random string is readable by any user on the system, allowing an attacker with local access to reconstruct the database password. Once the password is derived, the attacker can authenticate as the Exos9300Common user, which holds the ExosDialog and ExosDialogDotNet roles. These roles grant broad read access to most database tables and the ability to update or insert data into many tables, effectively allowing an attacker to manipulate access control data, potentially altering permissions, access logs, or system configurations. The vulnerability does not require elevated privileges beyond read access to the registry and does not require user interaction, making it easier to exploit in environments where local access is possible. The CVSS 4.0 vector indicates low attack complexity and no need for user interaction, with high impact on confidentiality, integrity, and availability. No patches are currently available, so manual mitigation is necessary. The vulnerability highlights a fundamental design flaw in credential management, relying on obscurity rather than robust cryptographic protections.

For European organizations, especially those in sectors relying heavily on physical access control such as government facilities, transportation hubs, healthcare, and critical infrastructure, this vulnerability poses a significant risk. An attacker who gains local access to a system running Kaba exos 9300 can extract the database password and manipulate access control data, potentially granting unauthorized physical access or covering tracks by altering logs. This could lead to unauthorized entry into secure areas, data breaches, or sabotage. The integrity of access control systems is critical for regulatory compliance and safety; thus, exploitation could result in operational disruptions, financial losses, reputational damage, and legal consequences under regulations like GDPR. Since the vulnerability affects all versions and requires manual mitigation, organizations face an urgent need to implement compensating controls. The requirement for local access limits remote exploitation but insider threats or attackers who gain initial footholds could leverage this vulnerability to escalate privileges and move laterally within networks.

1. Restrict registry permissions to limit read access only to trusted administrative accounts, preventing unauthorized users from reading the random string used in password derivation. 2. Isolate the MSSQL database server hosting the exos 9300 database on a secured network segment with strict access controls to minimize local access opportunities. 3. Implement robust monitoring and alerting for unusual database activities, such as unexpected read or write operations by the Exos9300Common user. 4. Employ host-based intrusion detection systems (HIDS) to detect unauthorized access attempts to the registry or database files. 5. Conduct regular audits of user permissions and access logs to detect anomalies. 6. Engage with dormakaba for any upcoming patches or official mitigations and plan for timely deployment. 7. Consider deploying application whitelisting and endpoint protection to reduce the risk of attackers gaining local access. 8. Educate staff on the risks of insider threats and enforce strict physical and logical access controls to systems running the vulnerable software. 9. If feasible, redesign or replace the credential management approach to use secure, cryptographically strong methods rather than relying on obscurity.