VYPR
Vendor

dormakaba

Products
8
CVEs
12
Across products
13
Status
Private

Products

8

Recent CVEs

12
  • CVE-2024-58311CriDec 12, 2025
    risk 0.64cvss 9.8epss 0.00

    Dormakaba Saflok System 6000 contains a predictable key generation algorithm that allows attackers to derive card access keys from a 32-bit unique identifier. Attackers can exploit the deterministic key generation process by calculating valid access keys using a simple…

  • CVE-2025-59097CriJan 26, 2026
    risk 0.60cvss epss 0.01

    The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the…

  • CVE-2025-59091CriJan 26, 2026
    risk 0.60cvss epss 0.01

    Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used…

  • CVE-2025-59090CriJan 26, 2026
    risk 0.60cvss epss 0.01

    On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated…

  • CVE-2025-59092HigJan 26, 2026
    risk 0.57cvss epss 0.01

    An RPC service, which is part of exos 9300, is reachable on port 4000, run by the process FSMobilePhoneInterface.exe. This service is used for interprocess communication between services and the Kaba exos 9300 GUI, containing status information about the Access Managers.…

  • CVE-2025-59107HigJan 26, 2026
    risk 0.55cvss epss 0.00

    Dormakaba provides the software FWServiceTool to update the firmware version of the Access Managers via the network. The firmware in some instances is provided in an encrypted ZIP file. Within this tool, the password used to decrypt the ZIP and extract the firmware is set…

  • CVE-2025-59094HigJan 26, 2026
    risk 0.55cvss epss 0.00

    A local privilege escalation vulnerability has been identified in the Kaba exos 9300 System management application (d9sysdef.exe). Within this application it is possible to specify an arbitrary executable as well as the weekday and start time, when the specified executable…

  • CVE-2025-59093HigJan 26, 2026
    risk 0.55cvss epss 0.00

    Exos 9300 instances are using a randomly generated database password to connect to the configured MSSQL server. The password is derived from static random values, which are concatenated to the hostname and a random string that can be read by every user from the registry. This…

  • CVE-2025-59105HigJan 26, 2026
    risk 0.46cvss epss 0.00

    With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption. Thus, essential files, such as "/etc/passwd", as well as stored certificates, cryptographic keys, stored PINs and so on…

  • CVE-2024-29916MedMar 21, 2024
    risk 0.36cvss 5.6epss 0.00

    The dormakaba Saflok system before the November 2023 software update allows an attacker to unlock arbitrary doors at a property via forged keycards, if the attacker has obtained one active or expired keycard for the specific property, aka the "Unsaflok" issue. This occurs, in…

  • CVE-2025-59109MedJan 26, 2026
    risk 0.33cvss epss 0.00

    The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be…

  • CVE-2025-59096MedJan 26, 2026
    risk 0.30cvss epss 0.00

    The default password for the extended admin user mode in the application U9ExosAdmin.exe ("Kaba 9300 Administration") is hard-coded in multiple locations as well as documented in the locally stored user documentation.