RESEARCHERS from SEC Consult discovered and fixed more than 20 security flaws in Dormakaba’s exos 9300 physical access control ecosystem, which are used by large European organisations to manage doors with key cards or fingerprint readers. According to SEC Consult, the vulnerabilities could allow an attacker to open arbitrary doors, reconfigure connected controllers and peripherals without prior authentication, and perform other invasive actions.
Dormakaba said exploitation would require prior access to the customer’s internal network or hardware, and confirmed that a few thousand customers were potentially affected, including some operating in high-security environments. The flaws were found across central management software, access managers, and door-side units, with some access managers directly exposed to the internet, notably in Spain, the Netherlands and Switzerland, where web logins and the SOAP API on port 8002 were publicly accessible.
A PoC video showing door opening via crafted requests was published, and researchers noted that at the time of writing there were no reported attacks exploiting these vulnerabilities in the wild.