dormakaba evolo Service Remote Code Execution

Product description

From evolo Manager brochure (translation by us):

With the evolo Manager access control software, your organization benefits from an easy-to-configure access control solution. It scales from individual doors to all access points within your building. You can manage access for employees, visitors, and delivery services, both indoors and outdoors.

The expandable design of evolo Manager lets you adapt the access control system to changing requirements. This flexibility enhances building security and protects your long-term investment.

Details

dormakaba provides a Windows service named “evolo service”. It is part of the dormakaba evolo Manager but can also be downloaded and installed separately. The evolo Manager communicates with this service over HTTP-based .NET Remoting on TCP port 8902.

The evolo service uses a TypeLevel setting of Full. This configuration allows an unauthenticated attacker to achieve arbitrary code execution via deserialization.

Workarounds

Restrict access to TCP port 8902, using a local firewall rule.

Coordinated Disclosure Timeline

• 01/10/2025 Sending vulnerability report
• 01/10/2025 Confirmation from dormakaba security team that they received the vulnerability report
• 14/10/2025 Message from dormakaba security team that they can confirm the vulnerability, asking for an online meeting
• 14/10/2025 Response from MOGWAI LABS, suggesting multiple meeting dates
• 08/01/2026 Message from MOGWAI LABS, informing dormakaba that the 90 days time window is up and we plan to release an advisory
• 08/01/2026 Response from dormakaba security team, again asking for an online meeting
• 14/01/2026 Meeting with dormakaba, agreeing on a follow-up meeting for vulnerability disclosure
• 04/02/2026 Follow up meeting
• 25/03/2026 Final clearification mail from dormakaba
• 31/03/2026 Advisory release

Links and References

• dormakaba Download page
• dormakaba Security Advisories