CVE-2025-59100: CWE-285: Improper Authorization in dormakaba Access Manager 92xx-k5
The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes the device does not reboot and therefore the exported database is not deleted, or the device reboots and the export is not deleted for unknown reasons. The path where the database export is located can be accessed without prior authentication. This leads to the fact that an attacker might be able to get access to the exported database without prior authentication. The database includes sensitive data like passwords, card pins, encrypted Mifare sitekeys and much more.
AI Analysis
Technical Summary
CVE-2025-59100 is an improper authorization vulnerability (CWE-285) found in dormakaba Access Manager 92xx-k5 devices, specifically in versions prior to XAMB 04.06.212. The affected product provides a web interface feature to export its internal SQLite database, which contains highly sensitive information including user passwords, card PINs, and encrypted Mifare sitekeys used for physical access control. Upon initiating the export, the device is designed to automatically download the database and then reboot, which triggers deletion of the exported file to prevent unauthorized access. However, due to inconsistent behavior, the device sometimes fails to reboot or fails to delete the exported database after reboot. Critically, the exported database file is accessible via a web path that does not require authentication, allowing an unauthenticated attacker to retrieve the file if it remains present. This vulnerability arises from improper access control on the database export path and unreliable cleanup mechanisms. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:A), with high impact on confidentiality (VC:H) and no impact on integrity or availability. Although no public exploits are currently known, the exposure of sensitive credentials and cryptographic keys poses a significant risk to physical and logical security. The vulnerability is classified as medium severity with a CVSS score of 5.9. Dormakaba has not yet published patches or mitigation guidance, so affected organizations must rely on compensating controls until updates are available.
Potential Impact
For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive access control data, including passwords, card PINs, and encrypted sitekeys. Such data exposure could enable attackers to bypass physical security controls, impersonate authorized personnel, or escalate privileges within secure facilities. The risk is particularly high for organizations relying on dormakaba Access Manager 92xx-k5 for managing access to critical infrastructure, government buildings, or corporate offices. Confidentiality breaches could result in theft, espionage, or sabotage. Additionally, the exposure of encrypted keys might facilitate cryptographic attacks or cloning of access cards. The intermittent failure of the device to delete exported databases increases the attack window. Since the vulnerability requires no authentication and can be exploited remotely over the network, it significantly lowers the barrier for attackers. The medium CVSS score reflects moderate ease of exploitation combined with high confidentiality impact. Overall, this vulnerability threatens both physical and information security postures of affected European entities.
Mitigation Recommendations
1. Immediately restrict network access to the dormakaba Access Manager web interface to trusted administrative networks only, using firewalls or VLAN segmentation to prevent unauthorized external access. 2. Monitor the device’s file system and web server logs for any unexpected access to the database export path or presence of exported database files. 3. Implement strict access control policies on the web interface, including multi-factor authentication and IP whitelisting where possible. 4. Regularly reboot the device manually if automatic reboot fails after database export to ensure deletion of exported files. 5. If feasible, disable or restrict the database export functionality until a vendor patch is available. 6. Engage with dormakaba support to obtain patches or firmware updates addressing this vulnerability as soon as they are released. 7. Conduct periodic security audits and penetration tests focusing on physical access control systems to detect potential exploitation. 8. Educate security and IT staff about this vulnerability and the importance of monitoring and controlling access to these devices. 9. Consider deploying network intrusion detection systems (NIDS) to alert on suspicious HTTP requests targeting the export path. 10. Maintain an incident response plan tailored to physical security breaches involving access control systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Switzerland, Belgium, Italy, Spain, Sweden
CVE-2025-59100: CWE-285: Improper Authorization in dormakaba Access Manager 92xx-k5
Description
The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes the device does not reboot and therefore the exported database is not deleted, or the device reboots and the export is not deleted for unknown reasons. The path where the database export is located can be accessed without prior authentication. This leads to the fact that an attacker might be able to get access to the exported database without prior authentication. The database includes sensitive data like passwords, card pins, encrypted Mifare sitekeys and much more.
AI-Powered Analysis
Technical Analysis
CVE-2025-59100 is an improper authorization vulnerability (CWE-285) found in dormakaba Access Manager 92xx-k5 devices, specifically in versions prior to XAMB 04.06.212. The affected product provides a web interface feature to export its internal SQLite database, which contains highly sensitive information including user passwords, card PINs, and encrypted Mifare sitekeys used for physical access control. Upon initiating the export, the device is designed to automatically download the database and then reboot, which triggers deletion of the exported file to prevent unauthorized access. However, due to inconsistent behavior, the device sometimes fails to reboot or fails to delete the exported database after reboot. Critically, the exported database file is accessible via a web path that does not require authentication, allowing an unauthenticated attacker to retrieve the file if it remains present. This vulnerability arises from improper access control on the database export path and unreliable cleanup mechanisms. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requires user interaction (UI:A), with high impact on confidentiality (VC:H) and no impact on integrity or availability. Although no public exploits are currently known, the exposure of sensitive credentials and cryptographic keys poses a significant risk to physical and logical security. The vulnerability is classified as medium severity with a CVSS score of 5.9. Dormakaba has not yet published patches or mitigation guidance, so affected organizations must rely on compensating controls until updates are available.
Potential Impact
For European organizations, this vulnerability can lead to unauthorized disclosure of sensitive access control data, including passwords, card PINs, and encrypted sitekeys. Such data exposure could enable attackers to bypass physical security controls, impersonate authorized personnel, or escalate privileges within secure facilities. The risk is particularly high for organizations relying on dormakaba Access Manager 92xx-k5 for managing access to critical infrastructure, government buildings, or corporate offices. Confidentiality breaches could result in theft, espionage, or sabotage. Additionally, the exposure of encrypted keys might facilitate cryptographic attacks or cloning of access cards. The intermittent failure of the device to delete exported databases increases the attack window. Since the vulnerability requires no authentication and can be exploited remotely over the network, it significantly lowers the barrier for attackers. The medium CVSS score reflects moderate ease of exploitation combined with high confidentiality impact. Overall, this vulnerability threatens both physical and information security postures of affected European entities.
Mitigation Recommendations
1. Immediately restrict network access to the dormakaba Access Manager web interface to trusted administrative networks only, using firewalls or VLAN segmentation to prevent unauthorized external access. 2. Monitor the device’s file system and web server logs for any unexpected access to the database export path or presence of exported database files. 3. Implement strict access control policies on the web interface, including multi-factor authentication and IP whitelisting where possible. 4. Regularly reboot the device manually if automatic reboot fails after database export to ensure deletion of exported files. 5. If feasible, disable or restrict the database export functionality until a vendor patch is available. 6. Engage with dormakaba support to obtain patches or firmware updates addressing this vulnerability as soon as they are released. 7. Conduct periodic security audits and penetration tests focusing on physical access control systems to detect potential exploitation. 8. Educate security and IT staff about this vulnerability and the importance of monitoring and controlling access to these devices. 9. Consider deploying network intrusion detection systems (NIDS) to alert on suspicious HTTP requests targeting the export path. 10. Maintain an incident response plan tailored to physical security breaches involving access control systems.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- SEC-VLab
- Date Reserved
- 2025-09-09T07:53:12.879Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6977400b4623b1157c815eb8
Added to database: 1/26/2026, 10:20:59 AM
Last enriched: 1/26/2026, 10:38:22 AM
Last updated: 2/7/2026, 12:40:54 PM
Views: 21
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-2085: Command Injection in D-Link DWR-M921
HighCVE-2026-2084: OS Command Injection in D-Link DIR-823X
HighCVE-2026-2083: SQL Injection in code-projects Social Networking Site
MediumCVE-2026-2082: OS Command Injection in D-Link DIR-823X
MediumCVE-2026-2080: Command Injection in UTT HiPER 810
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.