RCE in Dormakaba Kaba Exos 9300

CVE-2025-59090

On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as…

Vulnerability class: Broken Authentication

EPSS: 0.001 (34.1th percentile) — read the EPSS interpretation.

Affected products

Dormakaba Kaba Exos 9300 — versions <4.4.0 manual mitigation needed, >=4.4.0 with 92xx-K7 secured by default

Weakness classification (CWE)

References

r.sec-consult.com/dormakaba (technical-description)
r.sec-consult.com/dkexos (third-party-advisory)
www.dormakabagroup.com/en/security-advisories (vendor-advisory)