CVE-2025-59102 is a vulnerability identified in the dormakaba Access Manager 92xx-k5 series, specifically in versions prior to XAMB 04.06.212. The core issue is the cleartext storage of sensitive information within a local database backup that the device’s web server allows users to download. This database contains comprehensive configuration data, including encrypted MIFARE keys, cardholder data, and critically, user PINs stored in plaintext. The vulnerability is exacerbated by the ease with which an attacker can access this backup functionality. Attack vectors include exploiting a session management flaw (CVE-2025-59101), leveraging weak default passwords (CVE-2025-59108), or resetting the device password without authentication via the SOAP API (CVE-2025-59097). These chained vulnerabilities enable attackers to bypass authentication and retrieve the backup containing sensitive data. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required for the initial exploit (due to chaining), no user interaction, and high impact on confidentiality. The vulnerability does not affect availability or integrity directly but compromises confidentiality severely. No patches are currently linked, and no known exploits are reported in the wild, but the risk remains significant due to the sensitive nature of the data exposed and the ease of access through related vulnerabilities.

For European organizations, this vulnerability poses a significant risk to physical security and data confidentiality. The exposure of unencrypted PINs and access credentials can lead to unauthorized physical access to secure facilities, potentially compromising sensitive operations and data. Organizations relying on dormakaba Access Manager 92xx-k5 for access control in critical infrastructure sectors such as government, finance, healthcare, and transportation are particularly vulnerable. The compromise of MIFARE keys and card data could facilitate cloning or unauthorized use of access cards, undermining trust in physical security systems. Additionally, the ability to reset passwords without authentication increases the risk of insider threats or external attackers gaining persistent access. The medium CVSS score reflects the moderate complexity but high impact on confidentiality. The lack of known exploits currently provides a window for mitigation, but the chained nature of vulnerabilities means attackers with moderate skills could exploit this threat. This could lead to regulatory compliance issues under GDPR and other data protection laws if sensitive personal data is exposed.

1. Immediately restrict access to the web server interface of the Access Manager devices, ideally isolating them on a secure management network. 2. Disable or restrict the backup download functionality until a patch or update is available. 3. Enforce strong, unique passwords on all devices, replacing any default or weak credentials. 4. Monitor and audit access logs for unusual activity, especially attempts to access backup functions or reset passwords via the SOAP API. 5. Implement network-level controls such as IP whitelisting and VPN access for management interfaces. 6. Regularly update and patch the Access Manager firmware as soon as vendor updates become available. 7. Conduct a thorough review of physical access logs and card issuance policies to detect potential misuse. 8. Educate administrators on the risks of the SOAP API and session management flaws and restrict API access to trusted personnel only. 9. Consider deploying additional multi-factor authentication mechanisms for access to management interfaces. 10. Engage with dormakaba support for guidance and to obtain any interim fixes or mitigations.