CVE-2025-59097 identifies a critical security flaw in dormakaba Access Manager 92xx-K5 series devices, specifically related to the exos 9300 application used for configuring these devices. The vulnerability arises because the SOAP requests sent from the exos 9300 GUI to the Access Manager devices to save configuration changes do not require any authentication or authorization by default. This missing authentication (CWE-306) allows any attacker with network-level access to send arbitrary configuration commands to the Access Manager. The attacker can perform highly sensitive operations such as reconfiguring inputs and outputs, disabling alarm systems, permanently or temporarily unlocking all connected doors, and changing administrative credentials. Although dormakaba provides options to secure these communications via IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, these security features are not enabled by default and require additional manual configuration steps. The vulnerability is exacerbated by common network misconfigurations, including insufficient network segmentation and lack of LAN firewalls, which can expose these devices directly to the internet. The CVSS 4.0 base score of 9.3 reflects the vulnerability's critical impact, with network attack vector, no required privileges or user interaction, and high impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the ease of exploitation and potential impact make this a severe threat to physical security and IT infrastructure.

For European organizations, this vulnerability poses a severe risk to physical security and operational continuity. Dormakaba Access Managers are widely used in commercial buildings, government facilities, and critical infrastructure across Europe to control physical access. Exploitation could allow attackers to bypass all physical security controls by unlocking doors, disabling alarms, and altering access policies without detection. This could lead to unauthorized physical intrusions, theft, sabotage, or espionage. The ability to change administrative passwords further increases the risk of persistent unauthorized access. Organizations with poor network segmentation or those exposing these devices to the internet are particularly vulnerable. The impact extends beyond physical security to potential regulatory and compliance violations under GDPR and other European data protection laws if unauthorized access leads to data breaches. Additionally, disruption of access control systems could cause operational downtime and reputational damage.

To mitigate this vulnerability, European organizations should immediately verify whether dormakaba Access Manager 92xx-K5 devices are deployed in their environment and assess their network exposure. The following specific actions are recommended: 1) Enable IPsec authentication on all 92xx-K5 devices to enforce authentication and authorization on SOAP configuration requests. 2) If possible, upgrade to or configure devices supporting mTLS for stronger mutual authentication. 3) Implement strict network segmentation to isolate access control devices from general IT networks and untrusted zones. 4) Deploy internal firewalls and access control lists to restrict network-level access to these devices only to authorized management systems. 5) Conduct thorough network scans to identify any devices exposed directly to the internet and immediately remove or secure them. 6) Regularly audit access control configurations and monitor logs for unauthorized changes. 7) Engage with dormakaba support for any available patches or updated firmware addressing this issue. 8) Train security and IT staff on the risks of default insecure configurations and the importance of enabling authentication features. These targeted mitigations go beyond generic advice by focusing on the specific insecure default configuration and network exposure vectors.