CVE-2025-59105 is a vulnerability classified under CWE-312, indicating cleartext storage of sensitive information in dormakaba Access Manager 92xx-K5 devices. The affected products include all versions of the 92xx-K5 series, which are physical access control systems widely used in commercial and critical infrastructure environments. The vulnerability stems from the lack of encryption on the device's flash memory, allowing an attacker with physical access and sufficient time to desolder the flash memory chip, read or modify its contents, and then reinstall it without detection. On the Linux-based K7 model, this enables reading and modification of essential system files such as /etc/passwd, stored certificates, cryptographic keys, and PINs, which can be leveraged to gain SSH root access. On the Windows CE-based K5 model, the Access Manager password is stored in plaintext within an SQLite database, making it trivially extractable. The CVSS v4.0 score is 7.0 (high), reflecting the vulnerability's significant impact on confidentiality, integrity, and availability, despite requiring physical access (attack vector: physical) and no authentication or user interaction. No known exploits have been reported in the wild yet. The vulnerability highlights a critical design flaw in secure storage practices for embedded access control devices, exposing them to persistent and stealthy attacks that can compromise physical security and potentially broader network environments.

For European organizations, this vulnerability poses a serious threat to physical and information security. Access control systems like dormakaba's 92xx-K5 are often deployed in sensitive environments such as government buildings, financial institutions, healthcare facilities, and critical infrastructure sites. Exploitation could allow attackers to bypass physical security controls by gaining root access to the device, potentially enabling unauthorized entry, manipulation of access logs, or disabling alarms. The compromise of cryptographic keys and certificates could further facilitate lateral movement within internal networks or interception of secure communications. The integrity of stored PINs and passwords being compromised undermines trust in the access management system. Given the reliance on these systems for secure facility access, the vulnerability could lead to significant operational disruptions, data breaches, and regulatory compliance violations under GDPR and other European security standards. The requirement for physical access limits remote exploitation but does not diminish the risk in environments where insider threats or physical tampering are plausible.

1. Enhance physical security controls to prevent unauthorized access to the devices, including tamper-evident seals, secure enclosures, and surveillance. 2. Implement strict access policies and monitoring for areas housing these devices to reduce the risk of physical tampering. 3. Request and apply firmware updates or patches from dormakaba once available that address encryption of stored sensitive data. 4. Where possible, replace affected devices with models that implement hardware-based encryption and secure boot mechanisms to prevent unauthorized firmware or memory modifications. 5. Conduct regular audits and integrity checks of access control devices to detect unauthorized changes. 6. Limit the exposure of sensitive credentials by integrating multi-factor authentication and network segmentation to reduce the impact of device compromise. 7. Train personnel on the risks of physical tampering and ensure incident response plans include procedures for suspected device compromise. 8. Engage with dormakaba support to understand timelines for remediation and interim protective measures.