Full Disclosure mailing list archives

SEC Consult Vulnerability Lab Security Advisory < 20260126-2 >
=======================================================================
              title: UART Leaking Sensitive Data
            product: dormakaba registration unit 9002 (PIN pad)
 vulnerable version: <SW0039
      fixed version: SW0039
         CVE number: CVE-2025-59109
             impact: medium
           homepage:https://www.dormakaba.com/
              found: 2024-03-18
                 by: Clemens Stockenreitner (Office Vienna)
                     Werner Schober (Office Vienna)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Atos business
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"The Kaba exos 9300 basic system is the cornerstone of your access
management solution. Use it to resolves all your basic employees,
system, user and peripheral management tasks and initiate targeted
security measures as required. [...] "

Source:https://www.dormakaba.com/gb-en/offering/products/electronic-access-data/corporate-access-control-solutions


Business recommendation:
------------------------
The vendor provides an updated hardware revision of the device.
More details can be found at the following locations:
- Solution at the end of this advisory
- SEC Consult blog post:https://r.sec-consult.com/dormakaba
- Vendor website / security page:https://www.dormakabagroup.com/en/security-advisories
- Your dormakaba partner


Tested Architecture Overview
-----------------------------------
The tested system is the enterprise grade physical access system from
dormakaba. The tested system consists of the following components:

------------------------------
dormakaba exos 9300
------------------------------
Exos 9300 is a piece of software based on C# running on a central Windows server with
an MSSQL, or Oracle database as central storage.
Exos consists of multiple modules (e.g. basis, employee management, key depot, access,
visitor management, 3rd party management). Exos is used to centrally manage users,
keys, cards as well as the configuration of the access manager. Devices in the
exos environment are addressed using a special addressing scheme. The address scheme
described in the following table is going to be important.

┌────────────────────┬───────────────────────────┬───────────────┬───────────────────────────────────────────┬───────────────────────────┬───────────────────┐
│         I          │            01             │      00       │                    01                     │          
  00             │        00         │
├────────────────────┼───────────────────────────┼───────────────┼───────────────────────────────────────────┼───────────────────────────┼───────────────────┤
│ Port Type          │ Communication Hub Address │ Port Address  │ Access Hub Address                        │ 00 = 
Door Manager         │ Datapoint Address │
│ I = Access Manager │ Values: 01-99             │ Values: 00-99 │ Values: 00-99                             │ 01 = 
Access Point         │ Values: 00-20     │
│ B = Serial         │                           │               │ Fixed to 01 for Access Hubs with Ethernet │ 02 = 
Turnstile            │                   │
│ C = Modem          │                           │               │                                           │ 03 = IO 
Controller        │                   │
│ E = Ethernet       │                           │               │                                           │ Fixed to 
00 in most cases │                   │
│ R = remote         │                           │               │                                           │          
                 │                   │
└────────────────────┴───────────────────────────┴───────────────┴───────────────────────────────────────────┴───────────────────────────┴───────────────────┘

------------------------------
dormakaba Access Manager
------------------------------
The access manager is a component that is configured via exos. The configuration
between exos and access manager is exchanged via a SOAP interface. Per default
the data exchange is unencrypted. Encryption is only available starting with
access manager hardware release K7.
The access manager is a custom piece of hardware with multiple inputs and outputs.
The device offers the following interfaces:
- Digital Inputs
- 3x DC Output Relays
- 2x RS-232
- 1x RS-485 (Used to connect to access manager extension systems e.g. Kaba 9125)
- 1x RJ45
- 1x Micro USB
- 2x Coax (Used to connect registration units e.g. 9001, 9002)

The tested hardware was an access manager 9200-k5 running Windows CE embedded,
and an access manager 9200-k7 running Linux.

------------------------------
dormakaba Registration Unit
------------------------------
Dormakaba registration units can be either a Legic/Mifare card reader,
or a PIN pad used to enter a PIN to deactivate alarming systems, or as
an additional authentication.

------------------------------
Electric lock
------------------------------
The lock used for the tested setup is an Assa Abloy/effeff Profix 118. The lock
is simply controlled via a relay contact connected to the access manager. As
soon as a user successfully authenticates with a registration unit,
the relay connected to the lock is switched and the door opens.

The system is depicted in the following diagram.

          ┌─────────┐
          │         │
          │exos 9300│              ┌──────────┐  ┌──────────┐
          │         │              │ Reg Unit │  │ Pin Pad  │
          └────┬────┘              │   ┌──┐   │  │  x x x   │
               │                   │   │┼┼│   │  │  x x x   │
Ethernet──────►│                   │   └──┘   │  │  x x x   │
               │                   │   9001   │  │   9002   │
          ┌────┴────┐              └─────┬────┘  └─────┬────┘
          │ Access  │                    │             │
          │ Manager ├────────────────────┴─────────────┘
          │  9200   │        ▲
          └────┬────┘        │
               │           Coax
               │
  DC Relay───► │
               │
            ┌──┴──┐
            │     │
            │     │
            │     │
            │    ─┤◄──────Electric Lock
            │     │
            │     │
            └─────┘



Vulnerability overview/description:
-----------------------------------
1) UART Leaking Sensitive Data (CVE-2025-59109)
The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART
header on the backside. The PIN pad is sending every button press to the UART
interface. An attacker can use the interface to exfiltrate PINs. As the
devices are explicitly built as Plug-and-Play to be easily replaced, an attacker
is easily able to remove the device, install a hardware implant which connects
to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi).


Proof of concept:
-----------------
1) UART Leaking Sensitive Data (CVE-2025-59109)
To verify that the UART interface actually sends the entered numbers, wires have been
soldered to the board of the keypad. Using a baud rate of 57.600, one stop bit and no
parity bits, the data keystrokes can be received.

The received output then includes the pressed keys, and the coordinates of the pressed
key in the following format.

1,1324,0395,
5,1294,0386,
8,1290,0398,
6,1294,0388,
6,1294,0403,
E,1304,0374,


Vulnerable / tested versions:
-----------------------------
All hardware revisions with a firmware version <SW0039, which was the latest
version available at the time of the test, are vulnerable.


Vendor contact timeline:
------------------------
2024-04-02: Contacting vendor throughsecuritysupport () dormakaba com, no response
2024-04-05: Contacting vendor again throughsecuritysupport () dormakaba com, no response
2024-04-09: Contacting vendor again throughinfo () dormakaba com andhelpdesk.awm.ch () dormakaba com
2024-04-09:info () dormakaba com andhelpdesk.awm.ch () dormakaba com informed us
            that they are not responsible for Austrian "Customers" and we should
            contact the Austrian dormakaba entity.
2024-04-09: Contacting vendor again throughinfo () dormakaba com,helpdesk.awm.ch () dormakaba com
            andsecuritysupport () dormakaba com. Explaining that this is not a local
            Austrian problem, but a global issue for dormakaba. Requesting a Global
            Security Contact.
2024-04-09: Instead of forwarding our message to the global security team a local
            Austrian dormakaba representative called us. We closed the call down by
            requesting a contact of dormakaba's global security team.
2024-04-09: Austrian representatives requests the advisory via E-Mail. Asking for
            confirmation, if mail encryption is supported or if the advisory
            shall be forwarded unencrypted.
2024-04-10: Scheduling a conference call with the Austrian contact to clarify everything
            and explain the security issues.
2024-04-10: Conference call got cancelled. The Austrian contact forwarded our request to
            the headquarter in Switzerland.
2024-04-10: dormakaba's CISO contacted us via email and informed us to get back to us
            as soon as possible.
2024-04-12: dormakaba's DVP Systems Access Control und Owner Security Governance contacted
            us via email and provided us with a secure channel to submit the advisory. The
            advisory got submitted immediately.
2024-04-12: dormakaba's DVP Systems Access Control und Owner Security Governance requests
            details about the tested firmware and software version.
2024-04-15: SEC Consult provides detailed software and firmware version that was tested.
2024-04-16: dormakaba updates us and informs us that they are actively investigating
            the reported issues.
2024-04-30: Asking for a status update & offering a meeting to discuss any questions.
2024-04-30: dormakaba's CISO replies by accepting our meeting offer. Scheduling a meeting
            for 2024-05-07.
2024-05-07: Meeting with dormakaba's CISO and DVP Systems Access Control. All vulnerabilities
            are confirmed and actively worked on. Discussing further steps and agreeing on a
            monthly update meeting with dormakaba.
2024-05-08: Providing further details concerning the vulnerabilities as well as
            providing a set of questions (Vulnerable Versions, Firmware, Revisions), proposing
            meeting dates; no response
2024-05-23: Asking for a status update, no response
2024-06-03: Asking again for a status update.
2024-06-04: dormakaba's CISO replies with a meeting invite.
2024-06-05: Meeting with dormakaba for the scheduled monthly update meeting.
2024-07-24: Asking again for a status update, no response.
2024-07-31: Asking again for a status update or meeting, no response.
2024-08-19: Asking again for a status update or meeting.
2024-08-27: Scheduling a call for 2024-09-03
2024-09-03: dormakaba technician provides status update about which vulnerabilities are already
            fixed in the next release and on which they are still actively working on.
2024-11-12: Asking for a status update and informing dormakaba that we tested a newer hardware
            release of the dormakaba Access Manager (9200-K7) which is based on Linux.
            Multiple new critical vulnerabilities were identified. A separate advisory
            is in the making.
2024-12-12: Meeting with dormakaba to discuss new identified issues in other hardware releases.
2025-01-16: Added vulnerability "Unauthenticated access to the internal SQLite Database" &
            "Static firmware encryption password", see SEC Consult advisory 20260126-1.
2025-01-17: Providing updated advisory to dormakaba, asking for a status update regarding
            the other issues.
2025-01-28: Asking for status update again. Vendor responds that they received our
            updated advisory and they are preparing a feedback.
2025-02 - 2026-01: Monthly meetings with dormakaba to discuss the current developments.
2026-01-26: Public release of the advisory.


Solution:
---------
In this specific case there is a hardware replacement needed to
fix the vulnerability described above. There is no mechanism available
to update the reader firmware. The vulnerability is fixed starting
with all hardware revisions equipped with firmware >= SW0039. If readers
are installed in unsecured areas, we recommend to replace the hardware.

Review the website provided by dormakaba which was created specifically
for all the vulnerabilities documented in this advisory for more details
and insights from the manufacturer side. The vendor's security page is
available at the following location:https://www.dormakabagroup.com/en/security-advisories


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your applicationhttps://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local officeshttps://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web:https://www.sec-consult.com
Blog:https://blog.sec-consult.com
X:https://x.com/sec_consult

EOF Werner Schober, Clemens Stockenreitner / @2026

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• SEC Consult SA-20260126-2 :: UART Leaking Sensitive Data in dormakaba registration unit 9002 (PIN pad) SEC Consult Vulnerability Lab via Fulldisclosure (Jan 26)