CVE-2025-59095 identifies a vulnerability in dormakaba's Kaba exos 9300 physical access control system software versions prior to 4.3.3. The issue stems from the presence of hard-coded secrets within the program libraries and binaries, notably in the Kaba.EXOS.common.dll library. The function "EncryptAndDecrypt" employs a simplistic XOR-based encryption algorithm combined with a static cryptographic key derived from the company founder's name. This key is embedded directly in the code and used to encrypt user PINs before storing them in an MSSQL database. XOR encryption with a static key is cryptographically weak and easily reversible once the key is known or extracted from the binary. Because the key is hard-coded and unchanging, an attacker with access to the system files or memory can decrypt stored PINs, leading to exposure of sensitive authentication data. The vulnerability requires local access with low privileges but no user interaction or elevated privileges. The CVSS 4.0 score of 6.8 reflects the moderate risk due to limited attack vector (local) but high impact on confidentiality. There are no known exploits in the wild, and no patches have been linked yet, though upgrading to version 4.3.3 or later is recommended. This vulnerability falls under CWE-798 (Use of Hard-coded Credentials), a common weakness that undermines cryptographic protections and can lead to credential compromise. Given the role of Kaba exos 9300 in physical access control, exploitation could allow unauthorized physical access if PINs are recovered and reused.

For European organizations, especially those relying on dormakaba's Kaba exos 9300 for physical access control, this vulnerability poses a significant confidentiality risk. Exposure of user PINs could enable attackers to bypass physical security controls, potentially gaining unauthorized entry to sensitive facilities, data centers, or critical infrastructure sites. This could lead to theft, sabotage, or espionage. The impact is heightened in sectors such as government, finance, healthcare, and industrial manufacturing, where physical security is tightly integrated with cybersecurity. Although the vulnerability does not directly affect system integrity or availability, the compromise of authentication credentials undermines trust in the access control system. The requirement for local access limits remote exploitation but insider threats or attackers who gain initial footholds could leverage this weakness. Additionally, the static nature of the key means that once compromised, all stored PINs encrypted with it are vulnerable, increasing the scope of impact. Organizations may face regulatory and compliance consequences under GDPR if personal data is exposed due to inadequate protection mechanisms.

To mitigate CVE-2025-59095, organizations should immediately upgrade all affected Kaba exos 9300 systems to version 4.3.3 or later, where the hard-coded key issue is addressed. Until patches are applied, restrict local access to systems running the vulnerable software by enforcing strict physical and logical access controls and monitoring for unauthorized access attempts. Conduct thorough audits of existing user PIN storage and consider resetting PINs after patching to invalidate any potentially compromised credentials. Implement network segmentation to isolate access control systems from general IT infrastructure, reducing attack surface. Employ endpoint detection and response (EDR) tools to detect suspicious activity indicative of attempts to extract or reverse engineer binaries. Educate staff about insider threat risks and enforce least privilege principles to minimize opportunities for exploitation. Finally, engage with dormakaba support for guidance on secure configuration and future updates.