DORMAKABA’S Exos central management software, a hardware access manager and registration units, were found to contain more than 20 vulnerabilities that could have allowed hackers to remotely open doors at major European organisations, according to SEC Consult researchers cited by SecurityWeek.
The flaws, identified in the vendor’s physical access control system, included hardcoded credentials and encryption keys, weak passwords, lack of authentication and insecure password generation, as well as local privilege escalation and command injection issues. Dormakaba told SecurityWeek that a few thousand customers were potentially affected, with a small subset having high-security requirements, and that patches and hardening guidelines have been released over the past year and a half.
The company said exploitation would require prior access to the customer’s own network, although SEC Consult found a few dozen internet‑exposed systems that could have been targeted to open doors directly from the web. Dormakaba stated it is not aware of any cases where the vulnerabilities were exploited, while SecurityWeek published a video showing how an attacker could have exploited the flaws to open doors with specially crafted requests, a scenario described as a potential risk.