Hands-Free Lockpicking: Critical Vulnerabilities in dormakaba’s Physical Access Control System - SEC Consult
Hands-Free Lockpicking: Critical Vulnerabilities in dormakaba’s Physical Access Control System
26.01.2026
research
hardware
IoT
vulnerability
In this post, Clemens Stockenreitner and Werner Schober of the SEC Consult Vulnerability Lab highlight several critical vulnerabilities found in dormakaba’s physical access control systems based on exos 9300.
TL;DR<br>In this post, Clemens Stockenreitner and Werner Schober of the SEC Consult Vulnerability Lab highlight several critical vulnerabilities found in dormakaba’s physical access control systems based on exos 9300. This access control system originates from the manufacturer's enterprise product line for door and access systems and is predominantly used by large enterprises in Europe, including industrial and service companies, logistics operators, energy providers, and airport operators. It controls access to public and restricted areas, typically in combination with key cards (RFID) or fingerprint readers. According to the manufacturer, several thousand customers were affected, a small proportion of whom operate in environments with high security requirements.<br>These flaws let an attacker open arbitrary doors in numerous ways, reconfigure connected controllers and peripherals without prior authentication, and much more. This article summarizes the issues we found, resulting in more than 20 vulnerabilities, explains their potential security impact, and references practical mitigations that must be applied to fix the vulnerabilities.<br>Dormakaba handled the responsible disclosure process exceptionally well. Multiple patches as well as a hardening guideline are provided by the vendor.<br>More details can be found in our advisories accompanying this blogpost as well as the vendor specific page:<br>Technical advisory exos 9300<br>Technical advisory access manager<br>Technical advisory registration unit<br>Dormakaba security support center page
Structure<br>This blogpost is split into three essential parts, which can be read independently. However, we highly recommend reading both parts to get all the nifty details and improve understanding of the whole environment and the identified vulnerabilities detailed in the second section.<br>The blogpost is split into the following sections:<br>Section 1 – Intro to Physical Access Management Systems<br>This part serves as a general introduction into the world of physical access management systems and their essential components. If you are already familiar with such systems, you may skip this background section and proceed directly to the findings in section 2.<br>Section 2 – Vulnerabilities<br>The second part, which is more technical, focuses on the many vulnerabilities we discovered, some of which are highly critical. These issues span across the hardware, firmware, and software of dormakaba exos 9300, a widely used physical access control system.<br>Section 3 – Prerequisites, Mitigations, and Disclosure<br>The last section covers the prerequisites required to exploit each vulnerability (including a per-finding prerequisites overview). We discuss how different deployment and network conditions influence real-world exploitability, e.g. via 3rd party devices, guest zones or other environment misconfigurations. In the worst case, certain devices may be accessible and exploitable directly over the Internet. Further, we provide the recommended solution, detail the affected hardware and software, and summarize the responsible disclosure timeline.
Motivation<br>In the realm of cybersecurity and penetration testing, there exists a well-known correlation between the complexity and acquisition costs of a system and the likelihood of vulnerabilities being identified. More sophisticated and costly systems, whether due to technical complexity or significant resource requirements for acquisition and testing, often face fewer penetration tests and (free) security research. This is partly due to the entry barriers such systems present to security researchers and testers, such as requiring more specialized knowledge, greater time investment, or substantial financial outlay to access. As a result, these systems may remain under-tested in comparison to their less complex counterparts, potentially harboring unaddressed security risks.<br>After more than 20 years of responsible disclosure, vulnerability research and hundreds of advisories, we as SEC Consult can clearly state that some of the most interesting research topics covered systems that are either too costly to simply buy them out-of-pocket, extremely complicated to setup for testing without the help of the manufacturer, or simply impossible to buy for end users as an evaluation system at all. Furthermore, even used components bought at online marketplaces are often useless as they mostly require licensed server software or activation keys to run.<br>Subsequently, for research purposes, we at SEC Consult try to get our...