SEC Consult Vulnerability Lab Security Advisory < 20260126-2 >
=======================================================================
title: UART Leaking Sensitive Data
product: dormakaba registration unit 9002 (PIN pad)
vulnerable version: <SW0039
fixed version: SW0039
CVE number: CVE-2025-59109
impact: medium
homepage:https://www.dormakaba.com/
found: 2024-03-18
by: Clemens Stockenreitner (Office Vienna)
Werner Schober (Office Vienna)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"The Kaba exos 9300 basic system is the cornerstone of your access
management solution. Use it to resolves all your basic employees,
system, user and peripheral management tasks and initiate targeted
security measures as required. [...] "
Source:https://www.dormakaba.com/gb-en/offering/products/electronic-access-data/corporate-access-control-solutions
Business recommendation:
------------------------
The vendor provides an updated hardware revision of the device.
More details can be found at the following locations:
- Solution at the end of this advisory
- SEC Consult blog post:https://r.sec-consult.com/dormakaba
- Vendor website / security
page:https://www.dormakabagroup.com/en/security-advisories
- Your dormakaba partner
Tested Architecture Overview
-----------------------------------
The tested system is the enterprise grade physical access system from
dormakaba. The tested system consists of the following components:
------------------------------
dormakaba exos 9300
------------------------------
Exos 9300 is a piece of software based on C# running on a central Windows
server with
an MSSQL, or Oracle database as central storage.
Exos consists of multiple modules (e.g. basis, employee management, key depot,
access,
visitor management, 3rd party management). Exos is used to centrally manage
users,
keys, cards as well as the configuration of the access manager. Devices in the
exos environment are addressed using a special addressing scheme. The address
scheme
described in the following table is going to be important.
┌────────────────────┬───────────────────────────┬───────────────┬───────────────────────────────────────────┬───────────────────────────┬───────────────────┐
│ I │ 01 │ 00 │
01 │ 00 │ 00 │
├────────────────────┼───────────────────────────┼───────────────┼───────────────────────────────────────────┼───────────────────────────┼───────────────────┤
│ Port Type │ Communication Hub Address │ Port Address │ Access Hub
Address │ 00 = Door Manager │ Datapoint Address │
│ I = Access Manager │ Values: 01-99 │ Values: 00-99 │ Values:
00-99 │ 01 = Access Point │ Values: 00-20
│
│ B = Serial │ │ │ Fixed to 01
for Access Hubs with Ethernet │ 02 = Turnstile │ │
│ C = Modem │ │ │
│ 03 = IO Controller │ │
│ E = Ethernet │ │ │
│ Fixed to 00 in most cases │ │
│ R = remote │ │ │
│ │ │
└────────────────────┴───────────────────────────┴───────────────┴───────────────────────────────────────────┴───────────────────────────┴───────────────────┘
------------------------------
dormakaba Access Manager
------------------------------
The access manager is a component that is configured via exos. The configuration
between exos and access manager is exchanged via a SOAP interface. Per default
the data exchange is unencrypted. Encryption is only available starting with
access manager hardware release K7.
The access manager is a custom piece of hardware with multiple inputs and
outputs.
The device offers the following interfaces:
- Digital Inputs
- 3x DC Output Relays
- 2x RS-232
- 1x RS-485 (Used to connect to access manager extension systems e.g. Kaba 9125)
- 1x RJ45
- 1x Micro USB
- 2x Coax (Used to connect registration units e.g. 9001, 9002)
The tested hardware was an access manager 9200-k5 running Windows CE embedded,
and an access manager 9200-k7 running Linux.
------------------------------
dormakaba Registration Unit
------------------------------
Dormakaba registration units can be either a Legic/Mifare card reader,
or a PIN pad used to enter a PIN to deactivate alarming systems, or as
an additional authentication.
------------------------------
Electric lock
------------------------------
The lock used for the tested setup is an Assa Abloy/effeff Profix 118. The lock
is simply controlled via a relay contact connected to the access manager. As
soon as a user successfully authenticates with a registration unit,
the relay connected to the lock is switched and the door opens.
The system is depicted in the following diagram.
┌─────────┐
│ │
│exos 9300│ ┌──────────┐ ┌──────────┐
│ │ │ Reg Unit │ │ Pin Pad │
└────┬────┘ │ ┌──┐ │ │ x x x │
│ │ │┼┼│ │ │ x x x │
Ethernet──────►│ │ └──┘ │ │ x x x │
│ │ 9001 │ │ 9002 │
┌────┴────┐ └─────┬────┘ └─────┬────┘
│ Access │ │ │
│ Manager ├────────────────────┴─────────────┘
│ 9200 │ ▲
└────┬────┘ │
│ Coax
│
DC Relay───► │
│
┌──┴──┐
│ │
│ │
│ │
│ ─┤◄──────Electric Lock
│ │
│ │
└─────┘
Vulnerability overview/description:
-----------------------------------
1) UART Leaking Sensitive Data (CVE-2025-59109)
The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART
header on the backside. The PIN pad is sending every button press to the UART
interface. An attacker can use the interface to exfiltrate PINs. As the
devices are explicitly built as Plug-and-Play to be easily replaced, an attacker
is easily able to remove the device, install a hardware implant which connects
to the UART and exfiltrates the data exposed via UART to another system (e.g.
via WiFi).
Proof of concept:
-----------------
1) UART Leaking Sensitive Data (CVE-2025-59109)
To verify that the UART interface actually sends the entered numbers, wires
have been
soldered to the board of the keypad. Using a baud rate of 57.600, one stop bit
and no
parity bits, the data keystrokes can be received.
The received output then includes the pressed keys, and the coordinates of the
pressed
key in the following format.
1,1324,0395,
5,1294,0386,
8,1290,0398,
6,1294,0388,
6,1294,0403,
E,1304,0374,
Vulnerable / tested versions:
-----------------------------
All hardware revisions with a firmware version <SW0039, which was the latest
version available at the time of the test, are vulnerable.
Vendor contact timeline:
------------------------
2024-04-02: Contacting vendor [email protected], no response
2024-04-05: Contacting vendor again [email protected], no
response
2024-04-09: Contacting vendor again [email protected]
[email protected]
2024-04-09:[email protected] [email protected] informed us
that they are not responsible for Austrian "Customers" and we should
contact the Austrian dormakaba entity.
2024-04-09: Contacting vendor again
[email protected],[email protected]
[email protected]. Explaining that this is not a
local
Austrian problem, but a global issue for dormakaba. Requesting a
Global
Security Contact.
2024-04-09: Instead of forwarding our message to the global security team a
local
Austrian dormakaba representative called us. We closed the call
down by
requesting a contact of dormakaba's global security team.
2024-04-09: Austrian representatives requests the advisory via E-Mail. Asking
for
confirmation, if mail encryption is supported or if the advisory
shall be forwarded unencrypted.
2024-04-10: Scheduling a conference call with the Austrian contact to clarify
everything
and explain the security issues.
2024-04-10: Conference call got cancelled. The Austrian contact forwarded our
request to
the headquarter in Switzerland.
2024-04-10: dormakaba's CISO contacted us via email and informed us to get back
to us
as soon as possible.
2024-04-12: dormakaba's DVP Systems Access Control und Owner Security
Governance contacted
us via email and provided us with a secure channel to submit the
advisory. The
advisory got submitted immediately.
2024-04-12: dormakaba's DVP Systems Access Control und Owner Security
Governance requests
details about the tested firmware and software version.
2024-04-15: SEC Consult provides detailed software and firmware version that
was tested.
2024-04-16: dormakaba updates us and informs us that they are actively
investigating
the reported issues.
2024-04-30: Asking for a status update & offering a meeting to discuss any
questions.
2024-04-30: dormakaba's CISO replies by accepting our meeting offer. Scheduling
a meeting
for 2024-05-07.
2024-05-07: Meeting with dormakaba's CISO and DVP Systems Access Control. All
vulnerabilities
are confirmed and actively worked on. Discussing further steps and
agreeing on a
monthly update meeting with dormakaba.
2024-05-08: Providing further details concerning the vulnerabilities as well as
providing a set of questions (Vulnerable Versions, Firmware,
Revisions), proposing
meeting dates; no response
2024-05-23: Asking for a status update, no response
2024-06-03: Asking again for a status update.
2024-06-04: dormakaba's CISO replies with a meeting invite.
2024-06-05: Meeting with dormakaba for the scheduled monthly update meeting.
2024-07-24: Asking again for a status update, no response.
2024-07-31: Asking again for a status update or meeting, no response.
2024-08-19: Asking again for a status update or meeting.
2024-08-27: Scheduling a call for 2024-09-03
2024-09-03: dormakaba technician provides status update about which
vulnerabilities are already
fixed in the next release and on which they are still actively
working on.
2024-11-12: Asking for a status update and informing dormakaba that we tested a
newer hardware
release of the dormakaba Access Manager (9200-K7) which is based on
Linux.
Multiple new critical vulnerabilities were identified. A separate
advisory
is in the making.
2024-12-12: Meeting with dormakaba to discuss new identified issues in other
hardware releases.
2025-01-16: Added vulnerability "Unauthenticated access to the internal SQLite
Database" &
"Static firmware encryption password", see SEC Consult advisory
20260126-1.
2025-01-17: Providing updated advisory to dormakaba, asking for a status update
regarding
the other issues.
2025-01-28: Asking for status update again. Vendor responds that they received
our
updated advisory and they are preparing a feedback.
2025-02 - 2026-01: Monthly meetings with dormakaba to discuss the current
developments.
2026-01-26: Public release of the advisory.
Solution:
---------
In this specific case there is a hardware replacement needed to
fix the vulnerability described above. There is no mechanism available
to update the reader firmware. The vulnerability is fixed starting
with all hardware revisions equipped with firmware >= SW0039. If readers
are installed in unsecured areas, we recommend to replace the hardware.
Review the website provided by dormakaba which was created specifically
for all the vulnerabilities documented in this advisory for more details
and insights from the manufacturer side. The vendor's security page is
available at the following
location:https://www.dormakabagroup.com/en/security-advisories
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your applicationhttps://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local officeshttps://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web:https://www.sec-consult.com
Blog:https://blog.sec-consult.com
X:https://x.com/sec_consult
EOF Werner Schober, Clemens Stockenreitner / @2026
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
