Access System Flaws Enabled Hackers to Unlock Doors at Major European Firms

Vulnerabilities discovered by researchers in Dormakaba physical access control systems could have allowed hackers to remotely open doors at major organizations.

The security holes were discovered by experts at SEC Consult, a cybersecurity consulting firm under Atos-owned Eviden, in Dormakaba’s Exos central management software, a hardware access manager, and registration units that enable entry via a keypad, fingerprint reader, or chip card.

Several types of vulnerabilities were identified, including hardcoded credentials and encryption keys, weak passwords, lack of authentication, insecure password generation, local privilege escalation, data exposure, path traversal, and command injection issues.

The vulnerable product is mainly used by large enterprises in Europe, including industrial companies, energy providers, logistics firms, and airport operators.

Exploitation of the flaws identified by SEC Consult researchers could have allowed threat actors to directly unlock doors, obtain access PINs, or conduct further attacks in the compromised environment.

“A few thousand customers were potentially ...