Critical Flaws in Dormakaba Access Systems Allow Remote Door Control

Researchers from SEC Consult report over 20 security vulnerabilities in the Dormakaba physical access control systems. 

These enterprise-grade systems manage entry for thousands of large organizations, including airports, energy providers, and logistics firms. The flaws allow attackers to bypass authentication, unlock doors remotely, and steal sensitive user data. Many of these issues stem from unauthenticated APIs and hardcoded credentials that provide full control over the building's security infrastructure.

The vulnerabilities span across the central management software, networked access controllers, and door-side registration units, allowing attackers with network access to open arbitrary doors, reconfigure systems without authentication, steal access credentials, and compromise entire physical security infrastructures.

Vulnerabilities summary:

• CVE-2025-59097 (CVSS score 9.3) - Unauthenticated SOAP API on access managers allowing remote door unlocking by sending crafted messages to port 8002 without authentication
• CVE-2025-59091 (CVSS score 9.3) - Hardcoded legacy account credentials embedded in exos 9300 software enabling authentication to Datapoint Server and remote door release
• CVE-2025-59090 (CVSS score 9.3) - Unauthenticated SOAP API on exos 9300 server allowing attackers to forge access logs and retrieve user PINs
• CVE-2025-59108 (CVSS score 9.2) - Weak default password "admin" remaining unchanged on numerous installations
• CVE-2025-59103 (CVSS score 9.2) - Default SSH credentials ("eac" for root and "secret" for update_user) providing complete system access
• CVE-2025-59099 (CVSS score 8.8) - Path traversal vulnerability in CompactWebServer allowing unauthenticated filesystem access including SQLite database with plaintext credentials
• CVE-2025-59098 (CVSS score 8.7) - Trace functionality leaking sensitive data including PIN pad keystrokes over TCP port 4502 without authentication
• CVE-2025-59092 (CVSS score 8.7) - Unauthenticated RPC service on port 4000 for outdated SecLoc Mohito feature allowing door control
• CVE-2025-59093 (CVSS score 8.5) - Insecure password derivation function for MSSQL database administrator using predictable values with MD5 hashing
• CVE-2025-59107 (CVSS score 8.5) - Hardcoded firmware encryption password exposed within update tool
• CVE-2025-59094 (CVSS score 8.4) - Local privilege escalation to SYSTEM through automatic program starts feature
• CVE-2025-59101 (CVSS score 7.7) - Insufficient session management using IP-based authentication instead of tokens
• CVE-2025-59104 (CVSS score 7.0) - Unlocked bootloader accessible via UART permitting kernel parameter modification
• CVE-2025-59105 (CVSS score 7.0) - Unencrypted flash storage containing all credentials and certificates
• CVE-2025-59102 (CVSS score 6.9) - Secrets stored in plaintext in SQLite database including passwords and PINs
• CVE-2025-59095 (CVSS score 6.8) - Hardcoded key for PIN encryption using simple XOR obfuscation
• CVE-2025-59100 (CVSS score 5.9) - Unauthenticated access to previously exported SQLite database via predictable URL path
• CVE-2025-59109 (CVSS score 5.1) - UART interface on PIN pads leaking entered codes when physically accessed
• CVE-2025-59096 (CVSS score 4.6) - Weak default password "ExtendedAdminMode" for Extended Admin Mode
• CVE-2025-59106 - Web server running with root privileges violating least privilege principle
• Missing transport layer encryption - Services provided via unencrypted HTTP/TCP by default
• Potential command injection/argument injection - Vulnerable password change functionality on K7 access managers

The research revealed alarming real-world exposure scenarios. Researchers identified dozens of access managers directly accessible over the internet, clustered primarily in Spain, the Netherlands, and Switzerland, with critical services including the SOAP API on port 8002 and web interfaces fully exposed. 

Many installations failed to follow Dormakaba's requirement to place access managers within secured zones, with devices found mounted in publicly accessible areas including airport check-in zones. Network segmentation issues allow attackers who compromise controllers in low-security guest zones to pivot laterally and control access managers protecting high-security areas. Additionally, biometric readers and time recording terminals commonly installed in unsecured zones provide network access points, as these devices connect directly to the internal network via easily accessible Ethernet ports behind simple mounting screws.

Dormakaba has handled the coordinated vulnerability disclosure exceptionally well, spending 18 months releasing patches, providing hardening guidelines, and working closely with affected customers. The company confirmed no known active exploitation in the wild. Mitigation includes upgrading to patched versions (exos 9300 version 4.4.0 or later, access manager firmware BAME 06.00 or later for K7 hardware, XAMB 04.06.212 or later for K5 hardware), implementing mutual TLS for SOAP communications, replacing older K5 hardware that lacks mTLS support, enforcing strong password policies, properly segmenting networks, ensuring physical security of devices, and following the vendor's official hardening guide. 

Organizations should consult their Dormakaba partners and review the vendor security advisories.