CVE-2025-59091

216.73.216.6

· Published 26/01/2026 10:16 · Modified 26/01/2026 15:03

Labels: CVE-2025-59091 2026-01-26 551230f0-3615-47bd-b7cc-93e92e730bbf CVE-2025-59091 CWE-798

Essential information

Published: 26/01/2026 10:16
Modified: 26/01/2026 15:03
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically visualize open doors and alerts. However, controlling the Access Managers via this interface is also possible. To send and receive status information, authentication is necessary. The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands to open arbitrary doors.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: 551230f0-3615-47bd-b7cc-93e92e730bbf
NVD: View on NVD

Affected products (CPE)

Product	CPE
kaba / exos 9300	`cpe:2.3:a:kaba:exos_9300::::::::`