The dormakaba Access Manager 92xx-k5 hardware revision K7 introduces a significant security vulnerability identified as CVE-2025-59103. Unlike previous versions based on Windows CE, this revision runs Linux and exposes an SSH service on port 22. Analysis of the firmware reveals two user accounts with hardcoded, weak passwords that can be easily guessed, allowing unauthorized SSH access. One user’s password is intended to be randomized after initial deployment only if the device’s internal clock is set to a date prior to 2022. However, if the device clock is never set, reset due to battery replacement, or after a factory reset without receiving a valid time, the password remains in a default or predictable state. This design flaw creates a persistent attack vector where attackers can remotely access the device without authentication or user interaction. The vulnerability impacts confidentiality by exposing device credentials, integrity by allowing unauthorized configuration changes, and availability by potentially disrupting access control functions. The CVSS 4.0 score of 9.2 (critical) reflects the vulnerability’s ease of exploitation (network attack vector, no privileges or user interaction required) and its severe impact on all security properties. Although no exploits have been reported in the wild, the risk is high due to the device’s role in physical security and network infrastructure. The affected versions are specifically 92xx-K5 devices running firmware versions below BAME 05.01.88. The lack of patch links indicates that fixes may not yet be publicly available, emphasizing the need for proactive mitigation.

For European organizations, this vulnerability poses a critical risk to physical and network security. dormakaba Access Manager devices are widely used in Europe for controlling building access in corporate offices, government facilities, healthcare, and critical infrastructure sectors. Exploitation could allow attackers to bypass physical security controls by remotely accessing and manipulating door access systems, potentially enabling unauthorized entry. Furthermore, compromised devices could serve as footholds for lateral movement within enterprise networks, risking broader IT infrastructure compromise. The impact is especially severe for organizations with high security requirements, such as financial institutions, government agencies, and critical infrastructure operators. Disruption or manipulation of access control systems can lead to operational downtime, data breaches, and safety hazards. The vulnerability’s reliance on device clock settings means that devices in environments with poor time synchronization or maintenance practices are particularly vulnerable. Given the criticality of access control in security postures, the threat could have cascading effects on organizational security and compliance with European data protection and safety regulations.

Organizations should immediately inventory all dormakaba Access Manager 92xx-k5 devices and verify their hardware revision and firmware versions. Until patches are available, implement strict network segmentation to isolate these devices from general IT networks and restrict SSH access to trusted management hosts only. Manually verify and set the device internal clock to a date prior to 2022 to trigger password randomization where applicable, or reset passwords manually if supported by the device management interface. Monitor network traffic for unauthorized SSH connection attempts to these devices. Engage dormakaba support to obtain firmware updates or security advisories and apply patches promptly once released. Consider deploying compensating controls such as multi-factor authentication for device management interfaces and enhanced physical security monitoring. Regularly audit device configurations and access logs to detect suspicious activity. Finally, establish procedures to ensure device clocks remain synchronized and protected against resets that could revert passwords to weak defaults.