CVE-2025-59090

Vulnerability Description

On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards.

Related Weaknesses (CWE)

CWE-1188 CWE-306

References

https://r.sec-consult.com/dkexos
https://r.sec-consult.com/dormakaba
https://www.dormakabagroup.com/en/security-advisories

FAQ

What is CVE-2025-59090?

CVE-2025-59090 is a documented vulnerability. On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the crea...

How severe is CVE-2025-59090?

CVSS scoring is not yet available for CVE-2025-59090. Check NVD for updates.

Is there a patch for CVE-2025-59090?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.