Listen to this Post
Introduction: When Physical Security Depends on Software Trust
Physical access control systems are often treated as the last line of defense, trusted to protect critical infrastructure, sensitive facilities, and high-security environments. But when these systems rely heavily on software, networks, and poorly secured configurations, they inherit the same risks as any other digital platform. A recent security investigation has revealed how fragile that trust can become. Researchers from SEC Consult uncovered a wide range of critical vulnerabilities in Dormakaba’s exos 9300 access control ecosystem, a platform used across Europe by airports, logistics hubs, energy providers, and other high-risk organizations. The findings raise serious concerns about the convergence of physical and cyber security, and how weaknesses in one domain can directly compromise the other.
the Original Findings
Security researchers from SEC Consult identified and responsibly disclosed more than 20 security vulnerabilities affecting Dormakaba physical access control systems built on the exos 9300 platform. These enterprise-grade systems are commonly deployed in large organizations to manage doors, locks, and entry points using key cards, PINs, or biometric readers such as fingerprint scanners.
Scope of Affected Environments
Dormakaba confirmed that several thousand customers were potentially impacted, including organizations operating in high-security contexts. The affected deployments span critical sectors, making the vulnerabilities particularly alarming due to the potential real-world consequences.
Core Security Failures Identified
The vulnerabilities included hardcoded credentials, weak and guessable passwords, missing authentication mechanisms, and command injection flaws. Together, these weaknesses could allow attackers to open arbitrary doors, reconfigure controllers and peripherals, and manipulate system behavior without proper authorization.
Architecture Under Examination
The researchers analyzed the full exos 9300 ecosystem, including central management software, access managers, and door-side registration units. The system runs on Windows Server, relies on an MSSQL database, and communicates with access devices through networked controllers. Access managers from the 9200 series operate on Windows CE or Linux and expose multiple services, including web-based interfaces and a SOAP API used to control locks and door relays.
Exposure of Sensitive Data
Critical data such as credentials, PIN codes, and configuration files were found to be stored locally on access managers. In several cases, this data was insufficiently protected, making it accessible to attackers with network or physical access to the device.
Attack Impact and Realistic Threats
According to SEC Consult, successful exploitation could allow attackers to unlock doors, steal access PINs, or pivot further into internal networks. Dormakaba noted that exploitation would typically require prior access to the internal network or hardware, but researchers demonstrated that this assumption does not always hold.
Internet-Exposed Systems Discovered
The researchers identified multiple access managers directly exposed to the public internet. These systems were primarily located in Spain, the Netherlands, and Switzerland. Many exposed web login pages and the SOAP API on port 8002, enabling direct control of connected doors.
Remote Door Control Risk
If exploited, the vulnerabilities could allow attackers to remotely open doors over the internet. SEC Consult demonstrated this risk by publishing a proof-of-concept video showing how specially crafted requests could trigger door unlocks.
Vendor Response and Mitigation Efforts
Dormakaba acknowledged the findings and reported that it has spent approximately 18 months releasing patches, security hardening guidance, and working closely with major customers to address the issues. As of the time of reporting, the company stated it was not aware of any real-world attacks exploiting these vulnerabilities.
What Undercode Say:
The Hidden Danger of Cyber-Physical Convergence
This case highlights a recurring and deeply troubling pattern in modern security architecture. Physical access control systems are increasingly software-driven, network-connected, and remotely managed, yet they are often designed and deployed with outdated security assumptions. The belief that internal networks are inherently safe continues to fail in real-world environments.
Design Choices That Amplify Risk
Hardcoded credentials and missing authentication are not minor oversights, they represent fundamental design failures. In systems responsible for controlling physical entry points, these flaws move beyond data exposure and directly translate into real-world access breaches.
Internet Exposure as a Force Multiplier
The discovery of access managers exposed to the public internet dramatically changes the threat model. Once a door controller is reachable online, attackers no longer need insider access or physical proximity. The attack surface becomes global, automated, and scalable.
Legacy Platforms and Long Lifecycles
Physical security systems often remain in operation for decades, far longer than typical IT infrastructure. When these systems are built on legacy operating systems like Windows CE or outdated Linux environments, patching becomes slow, complex, and sometimes impossible without major hardware replacement.
The False Comfort of “No Known Exploitation”
Statements claiming no known attacks in the wild should not be interpreted as safety guarantees. Many physical security breaches go undetected or unreported, especially when attackers exploit access quietly without causing immediate disruption.
Responsibility Beyond Patching
While Dormakaba’s patching efforts are significant, this incident underscores the need for stronger default configurations, secure-by-design principles, and mandatory network isolation. Vendors must assume hostile environments by default, not ideal ones.
A Wake-Up Call for Critical Infrastructure
Organizations operating airports, energy facilities, and logistics hubs must reassess how physical security systems are monitored, segmented, and audited. Cybersecurity teams and physical security teams can no longer operate in silos.
The Broader Industry Implication
This is not just a Dormakaba issue. It reflects an industry-wide challenge where physical security vendors adopt digital features faster than they adopt digital security maturity. Until that gap is closed, similar disclosures will continue to surface.
Fact Checker Results
✅ More than 20 vulnerabilities were confirmed and disclosed by SEC Consult.
✅ Dormakaba acknowledged that thousands of customers were potentially affected.
❌ No evidence currently confirms active exploitation in real-world attacks.
Prediction
📊 Physical access control systems will increasingly become prime targets as attackers seek real-world impact beyond data theft.
📊 Regulatory pressure is likely to rise, forcing vendors to adopt stricter secure-by-design standards.
📊 Organizations will move toward zero-trust models even for physical security infrastructure.
▶️ Related Video (82% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
