CVE-2025-59101 is a vulnerability classified under CWE-291 (Reliance on IP Address for Authentication) found in dormakaba Access Manager 92xx-k5 versions prior to XAMB 04.06.212. The product’s authentication mechanism deviates from standard practices by not using session tokens or cookies to maintain authenticated sessions. Instead, it verifies each request by checking if the originating IP address has previously authenticated successfully. Once an IP address is authenticated, the system treats all subsequent requests from that IP as authenticated, without additional verification. This approach is inherently insecure because IP addresses can be spoofed by attackers, especially in environments where IP spoofing is feasible. An attacker who can spoof the IP address of a legitimate user can bypass authentication controls and gain unauthorized access to the Access Manager web interface. This interface controls access management functions, which are critical for physical and logical security in organizations. The vulnerability has a CVSS 4.0 base score of 7.7 (high severity), reflecting its network attack vector, low attack complexity, no required privileges, partial user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to the critical nature of the affected system and the ease of exploitation in certain network environments. The flaw highlights a fundamental design weakness in the authentication mechanism that should be addressed by applying patches or updates once available. Until then, organizations must rely on compensating controls to reduce exposure.

For European organizations, the impact of this vulnerability can be severe. dormakaba Access Manager is widely used in managing physical access control systems, including doors, gates, and secure areas within corporate, governmental, and critical infrastructure facilities. Unauthorized access to the Access Manager interface could allow attackers to manipulate access permissions, disable security controls, or gain physical entry to restricted areas, leading to potential data breaches, theft, or sabotage. The compromise of such systems can also disrupt business operations and damage organizational reputation. Given the high integration of dormakaba products in sectors like finance, healthcare, transportation, and government across Europe, the risk extends beyond IT systems to physical security domains. The vulnerability’s reliance on IP address authentication means that attackers within the same network segment or with the ability to spoof IP addresses can exploit it, increasing the threat in environments with less stringent network segmentation or monitoring. The lack of session tokens also complicates detection and response, as malicious activity may appear as legitimate traffic from authenticated IPs. Overall, the vulnerability threatens confidentiality, integrity, and availability of access management systems, with cascading effects on organizational security posture.

To mitigate CVE-2025-59101, European organizations should take the following specific actions: 1) Immediately identify all instances of dormakaba Access Manager 92xx-k5 in their environment and verify the version to determine exposure. 2) Apply vendor patches or updates as soon as they become available to replace the flawed IP-based authentication mechanism with a secure session management approach. 3) Until patches are deployed, restrict network access to the Access Manager interface using network segmentation, firewall rules, and access control lists to limit connections to trusted hosts and networks. 4) Implement strong network monitoring and anomaly detection to identify suspicious IP spoofing attempts or unusual access patterns. 5) Use VPNs or encrypted tunnels with mutual authentication to access the management interface, reducing the risk of IP spoofing on untrusted networks. 6) Enforce multi-factor authentication (MFA) at the network or application layer if supported, adding an additional layer beyond IP verification. 7) Conduct regular security audits and penetration tests focusing on access management systems to detect weaknesses and validate controls. 8) Educate IT and security teams about the risks of IP-based authentication and the importance of secure session handling. These targeted measures will reduce the attack surface and protect critical access management infrastructure until a permanent fix is applied.