CVE-2025-59096 identifies a vulnerability classified under CWE-798 (Use of Hard-coded Credentials) in the dormakaba Kaba exos 9300 physical access control system. The issue resides in the application U9ExosAdmin.exe, which manages the Kaba 9300 system. The extended admin user mode password is hard-coded in multiple locations within the application binary and is also documented in locally stored user manuals. This design flaw means that anyone with access to the system files or documentation can retrieve the default password and gain elevated administrative privileges. The vulnerability affects all versions of the product, indicating a systemic design oversight without version-specific fixes. The CVSS 4.6 score reflects a medium severity, considering that exploitation requires local access with high privileges but no user interaction or network vector. The vulnerability does not impact confidentiality or availability directly but poses a risk to integrity and administrative control, potentially allowing unauthorized configuration changes or disabling of security controls. No known exploits are currently reported in the wild, and no official patches have been released, so manual mitigation is necessary. This vulnerability is particularly concerning for environments where physical access control systems are critical to security, as it could enable attackers to bypass or manipulate access permissions.

For European organizations, the impact of CVE-2025-59096 can be significant, especially in sectors relying heavily on physical security controls such as government facilities, transportation hubs, healthcare, and critical infrastructure. Unauthorized administrative access to the Kaba exos 9300 system could allow attackers to alter access permissions, disable alarms, or create backdoors, undermining physical security and potentially enabling further cyber-physical attacks. The confidentiality of access logs and configuration data could be compromised, and the integrity of the access control system could be undermined, leading to unauthorized entry or denial of legitimate access. Although the vulnerability requires local high-privilege access, insider threats or attackers who have already breached perimeter defenses could exploit it to escalate privileges. The lack of patches means organizations must rely on procedural mitigations, increasing operational risk. Given dormakaba's strong presence in Europe, particularly in countries with stringent physical security requirements, the threat could disrupt operations and erode trust in security infrastructure.

To mitigate CVE-2025-59096, European organizations should immediately implement the following measures: 1) Change all default and hard-coded passwords in the Kaba exos 9300 system to strong, unique credentials not documented or stored locally. 2) Restrict physical and local administrative access to systems running U9ExosAdmin.exe to trusted personnel only, employing strict access controls and monitoring. 3) Remove or secure local user documentation that contains default credentials to prevent unauthorized discovery. 4) Implement robust logging and alerting on administrative access attempts to detect suspicious activity promptly. 5) Conduct regular audits of access control configurations and user accounts to identify unauthorized changes. 6) Engage with dormakaba support for any available updates or guidance and monitor for future patches. 7) Consider network segmentation and isolation of access control management systems to limit exposure. 8) Train staff on the risks of hard-coded credentials and enforce policies to avoid similar vulnerabilities in custom configurations or integrations. These steps go beyond generic advice by focusing on operational controls and documentation management specific to this vulnerability.