Researchers say flaws they found in the equipment's software meant they could create "master keys" that opened the rooms without leaving an activity log.
The F-Secure team said it had worked with the locks' maker over the past year to create a fix.
But the Swedish manufacturer is playing down the risk to those hotels that have yet to install an update.
"Vision Software is a 20-year-old product, which has been compromised after 12 years and thousands of hours of intensive work by two employees at F-Secure," said a spokeswoman for the company, Assa Abloy.
"These old locks represent only a small fraction [of the those in use] and are being rapidly replaced with new technology."
Assa Abloy's locks are used by some of the world's biggest hotel chains - including Intercontinental, Hyatt, Radisson and Sheraton - although it has not disclosed which properties still use a compromised version of the Vision by VingCard system.
Source: BBC