When SEC Consult relocated offices, researchers Werner Schober and Clemens Stockenreitner salvaged an active Dormakaba Access 9300 system. Equipped with management software, RFID readers, and access controllers, they set a goal to bypass physical security non-destructively over the network. Their auditing of the device configurations and proprietary communication protocols revealed severe structural flaws.

They uncovered three unauthenticated network methods to actuate door relays. The most glaring flaw was an unencrypted SOAP API on port 8002 that lacked authentication tokens or session checks. By enumerating incremental access manager IDs and sending a "release once" command, anyone on the network could remotely open doors. Additionally, reverse-engineering the system's graphics monitoring tool revealed hardcoded legacy credentials. Sending UTF-16 little-endian encoded payloads over port 1005 using these credentials triggered the same unlock actions. A third avenue existed on port 4000, where a legacy Symbian mobile phone interface processed unauthenticated RPC objects to actuate the relays.

Beyond direct door releases, the system exhibited severe secondary risks. The SOAP API allowed attackers to query plaintext user PINs and inject forged, arbitrarily timestamped log entries, neutralizing audit integrity. An attacker could also overwrite the administrative SQLite database to gain full control. On legacy K5 access controllers running Windows CE, a directory traversal vulnerability was traced to a 20-year-old hobbyist web server demo that was copied verbatim into the enterprise firmware. While the vendor initially argued that exploiting these flaws required secure internal network access, they bypassed this barrier by simply unplugging externally mounted Ethernet-connected time-tracking terminals to breach the secure perimeter.

• Dormakaba Access 9300 systems exposed an unencrypted, unauthenticated SOAP API on port 8002, allowing attackers to unlock physical doors by sending a release once command.
• The system's graphics monitoring application contained hardcoded legacy credentials that accepted raw, UTF-16 little-endian encoded TCP payloads over port 1005 to actuate door relays.
• The legacy Windows CE firmware inside K5 access controllers utilized a copied 20-year-old hobbyist web server, introducing a directory traversal vulnerability that exposed the entire device configuration.
• Attackers can abuse the unauthenticated API endpoints to overwrite administrative SQLite databases, query plaintext two-factor PINs, and forge event logs to hide unauthorized entries.
• Physical network isolation defenses can be trivially bypassed by unplugging and connecting to externally mounted Ethernet peripherals, such as time-tracking clocks or biometric scanners.