The vulnerability CVE-2025-59098 affects dormakaba Access Manager 92xx-k5 devices, specifically versions prior to XAMB 04.06.212. The Access Manager includes a trace/debug functionality designed to aid in troubleshooting by broadcasting debug information over a TCP socket. This socket is accessible without any authentication or encryption, allowing any network-level attacker to connect and receive the debug data. The data broadcasted depends on a verbosity level that can be set remotely via HTTP(S) endpoints requiring the service interface password or via a SOAP interface using a guessable device identifier, which weakens access control. The debug data includes highly sensitive information such as Card IDs and all button presses on registration units, effectively exposing PIN codes and other authentication inputs. The vulnerability is classified under CWE-497, indicating exposure of sensitive system information to an unauthorized control sphere. The CVSS 4.0 score is 8.7 (high severity), reflecting the ease of exploitation (network access, no authentication), the critical confidentiality impact (exposure of authentication credentials), and the lack of required user interaction or privileges. Although no public exploits are known yet, the vulnerability poses a significant risk to physical security and access control integrity, as attackers could intercept credentials and potentially bypass or manipulate access controls. The lack of encryption and authentication on the debug socket is a fundamental design flaw that enables this exposure.

For European organizations, this vulnerability could lead to severe security breaches in physical access control systems. Attackers with network access—potentially internal or via compromised network segments—can intercept sensitive authentication data such as Card IDs and PINs, enabling unauthorized physical entry or cloning of access credentials. This undermines the integrity and confidentiality of access control mechanisms, potentially leading to unauthorized facility access, theft, espionage, or sabotage. Organizations in sectors with high physical security requirements—such as government, critical infrastructure, finance, and manufacturing—are particularly at risk. The exposure of PINs and card data also raises compliance concerns under GDPR and other data protection regulations, as biometric and access credentials are sensitive personal data. The vulnerability could facilitate lateral movement within networks if attackers gain physical access, compounding cybersecurity risks. The absence of encryption and authentication on the debug interface increases the attack surface, especially in environments where network segmentation or monitoring is insufficient.

Immediate mitigation steps include disabling the trace/debug functionality on affected dormakaba Access Manager devices if possible, or restricting network access to the TCP debug socket through strict firewall rules and network segmentation to limit exposure to trusted administrators only. Organizations should update the Access Manager firmware to versions at or above XAMB 04.06.212 once available, as this likely contains patches addressing the vulnerability. If firmware updates are delayed, implement compensating controls such as VPN tunnels or encrypted management networks to protect debug data in transit. Change and strengthen service interface passwords to prevent unauthorized verbosity level changes. Monitor network traffic for unusual connections to the debug TCP port and audit access logs for suspicious activity. Engage with dormakaba support to obtain official patches or guidance. Additionally, review physical access policies and consider multi-factor authentication methods that do not rely solely on PINs or card data exposed by this vulnerability. Conduct regular security assessments of access control infrastructure to detect and remediate similar weaknesses.