CVE-2025-59094 is a local privilege escalation vulnerability identified in the dormakaba Kaba exos 9300 System management application, specifically in the executable d9sysdef.exe. The vulnerability stems from improper privilege management (CWE-269), where the application allows users with existing high privileges to schedule arbitrary executables to run with SYSTEM-level privileges by specifying the executable, weekday, and start time. This scheduling feature lacks sufficient validation or restrictions, enabling privilege escalation from a high-privilege user to full SYSTEM privileges. The vulnerability affects all versions of the Kaba exos 9300 product, which is a widely deployed access control system used to manage physical security in various organizations. The CVSS v4.0 score is 8.4 (high severity), reflecting the local attack vector, low attack complexity, no required authentication beyond high privileges, and no user interaction needed. The vulnerability impacts confidentiality, integrity, and availability by allowing an attacker to execute arbitrary code with SYSTEM privileges, potentially leading to full system compromise, unauthorized access to sensitive security controls, and disruption of physical security operations. No patches or automated fixes are currently available, requiring manual mitigation efforts. While no known exploits have been reported in the wild, the vulnerability represents a significant risk, especially in environments where Kaba exos 9300 is critical to security infrastructure. The vulnerability was reserved in September 2025 and published in January 2026, indicating recent discovery and disclosure.

For European organizations, the impact of CVE-2025-59094 is considerable due to the critical role that Kaba exos 9300 plays in physical access control systems. Exploitation could allow attackers to gain SYSTEM-level control over the management application, potentially leading to unauthorized manipulation of access permissions, disabling of security controls, and full compromise of physical security infrastructure. This could result in unauthorized facility access, data breaches, and operational disruptions. Organizations in sectors such as government, finance, healthcare, transportation, and critical infrastructure are particularly vulnerable, as physical security is integral to their overall security posture. The ability to execute arbitrary code with SYSTEM privileges also opens the door for lateral movement within networks, persistence, and further compromise of IT assets. Given the lack of patches, the risk of exploitation increases if attackers gain initial high-privilege access. The vulnerability could also undermine compliance with European data protection and security regulations if exploited to access sensitive areas or data.

Since no official patches are currently available, European organizations should implement immediate manual mitigations. These include restricting access to the Kaba exos 9300 management application and the d9sysdef.exe executable to only the minimum necessary high-privilege users. Employ strict access controls and monitoring on systems running the application to detect any unauthorized scheduling of executables. Use application whitelisting to prevent execution of unauthorized binaries. Regularly audit scheduled tasks and logs for suspicious entries related to the application. Consider isolating the management system on a segmented network with limited connectivity to reduce attack surface. Implement strong endpoint protection and behavioral monitoring to detect privilege escalation attempts. Engage with dormakaba support for any interim guidance and monitor for official patches or updates. Additionally, conduct user training to raise awareness about the risks of privilege misuse. Finally, develop and test incident response plans specific to potential exploitation scenarios involving this vulnerability.