Access System Flaws Enabled Hackers to Unlock Doors at Major European Firms

Physical access control systems have become a cornerstone of corporate security, linking digital authentication to tangible entry points. As organizations adopt networked door controllers, the attack surface expands beyond traditional IT assets, allowing threat actors to pivot from cyber breaches to physical intrusion. Recent incidents across Europe illustrate how remote exploitation of access software can bypass on‑site safeguards, underscoring the need for holistic security strategies that treat doors as extensions of the network. Failure to secure these systems can lead to operational disruptions, safety hazards, and reputational damage.

The SEC Consult team identified more than twenty critical flaws in Dormakaba’s Exos platform, ranging from hard‑coded encryption keys to command‑injection vulnerabilities. These defects could grant an attacker the ability to unlock doors, retrieve PIN codes, or move laterally within a protected network. Although the vendor reports no confirmed incidents, researchers discovered dozens of internet‑exposed units that could be compromised from the public internet. Dormakaba has since released patches and hardening guidelines after an 18‑month remediation effort, working closely with thousands of European customers to remediate the risk. The incident also serves as a reminder that legacy access solutions often lack modern cryptographic safeguards.

The Dormakaba case highlights a growing convergence of cyber and physical security, prompting executives to reassess vendor risk management and patching cadences. Organizations should enforce network segmentation, enforce strong credential policies, and regularly audit access‑control firmware for hidden backdoors. As regulators increasingly scrutinize cyber‑physical resilience, firms that integrate continuous monitoring and rapid vulnerability response will gain a competitive edge while reducing the likelihood of costly breaches that could compromise both data and physical assets. Investing in unified security platforms that correlate physical events with IT alerts can further mitigate risk.