CVE-2025-59090

Vulnerability Description

On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards.

Vulnerability Details

Published Date

January 26, 2026

Last Modified

January 26, 2026

CWE ID

CWE-306

Source

NVD

Vendor

dormakaba

Product

Kaba exos 9300

External References

https://r.sec-consult.com/dkexos
https://r.sec-consult.com/dormakaba
https://www.dormakabagroup.com/en/security-advisories

CVE-2025-59090

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment