The dormakaba Access Manager 92xx-k5 product incorporates an open-source web server called CompactWebServer, written in C#. This web server suffers from a path traversal vulnerability (CWE-35) identified as CVE-2025-59099, which allows attackers to manipulate file path parameters in HTTP GET requests to access arbitrary files on the underlying file system without any authentication. The vulnerability affects versions prior to XAMB 04.05.21. Exploiting this flaw, an attacker can retrieve sensitive files including the SQLite database file Database.sq3, which contains badge information and associated PIN codes used for physical access control. This breach compromises confidentiality by exposing credentials and access data. Additionally, attempts to access certain files cause the web server to crash and become unreachable for approximately 60 seconds, enabling an attacker to mount a denial-of-service attack by repeatedly triggering these requests. The vulnerability requires no privileges or user interaction and can be exploited remotely over the network, increasing its risk profile. Although no public exploits are currently known in the wild, the high CVSS 8.8 score reflects the critical nature of the vulnerability due to its ease of exploitation and impact on confidentiality and availability. The lack of authentication bypasses any access control mechanisms, making all deployments of affected versions vulnerable. This vulnerability is particularly concerning for organizations relying on dormakaba Access Manager for physical security management, as it exposes sensitive access credentials and can disrupt access control services.

For European organizations, the impact of CVE-2025-59099 is significant. The exposure of badge information and PIN codes undermines physical security controls, potentially allowing unauthorized access to sensitive facilities, data centers, or restricted areas. This can lead to theft, espionage, or sabotage. The ability to cause denial of service by crashing the web server disrupts access management operations, potentially locking out legitimate users and causing operational downtime. Organizations in critical infrastructure sectors such as energy, transportation, finance, and government are especially at risk, as they often rely on dormakaba systems for secure access control. The breach of confidentiality and availability can also have regulatory implications under GDPR, as personal data related to employees or contractors may be exposed. The vulnerability’s remote exploitation capability increases the attack surface, requiring urgent attention to prevent exploitation by cybercriminals or state-sponsored actors targeting European entities.

To mitigate CVE-2025-59099, affected organizations should immediately upgrade dormakaba Access Manager 92xx-k5 to version XAMB 04.05.21 or later, where the vulnerability is addressed. In the absence of a patch, network segmentation should be enforced to isolate the Access Manager web server from untrusted networks, limiting exposure to potential attackers. Deploy web application firewalls (WAFs) or intrusion prevention systems (IPS) with custom rules to detect and block path traversal patterns in HTTP requests targeting the CompactWebServer. Regularly audit and monitor access logs for suspicious GET requests attempting directory traversal sequences (e.g., ../). Implement strict access controls on the file system hosting the web server to minimize the impact of unauthorized file access. Additionally, consider disabling or restricting access to the embedded web server if not required for daily operations. Conduct thorough security assessments and penetration tests post-mitigation to verify the effectiveness of applied controls. Finally, ensure incident response plans include procedures for handling potential data breaches involving physical access credentials.