dormakaba Kaba exos 9300 Hardcoded Credentials Allowing Unauthorized Access to Access Managers

A vulnerability exists in the dormakaba Kaba exos 9300 application due to multiple hardcoded credentials that allow unauthorized access to the exos 9300 datapoint server. This server, running on ports 1004 and 1005, is responsible for relaying status information between the exos 9300 server and connected Access Managers. The hardcoded credentials grant access to four different user accounts, enabling authentication and the ability to send and receive information, including commands to open doors. This vulnerability affects all versions of Kaba exos 9300 prior to 4.4.1.

Impact

Exploitation of this vulnerability allows for unauthorized control over Access Managers, including the ability to open doors remotely.

Reproduction

The hardcoded credentials for the affected accounts are embedded in the Kaba exos 9300 application. These credentials can be extracted and used to log into the datapoint server on ports 1004 and 1005. Once authenticated, a command can be sent to the server to open a specific door by referencing its identifier.

Remediation

Users are advised to update to Kaba exos 9300 version 4.4.1 or later, where this vulnerability has been addressed.