CVE-2025-59106: CWE-272: Least Privilege Violation in dormakaba Access Manager 92xx-k7
CVE-2025-59106 is a high-severity vulnerability in dormakaba Access Manager 92xx-k7 versions prior to BAME 06. 00. The core issue is that the binary responsible for the web server and executing all actions from the Web UI runs with root privileges, violating the least privilege principle (CWE-272). This design flaw allows an attacker who has already gained code execution on the system via other vulnerabilities to escalate privileges to root, enabling full control over the device. The vulnerability has a CVSS score of 8. 8, indicating high impact on confidentiality, integrity, and availability without requiring user interaction. Although no known exploits are currently in the wild, the risk is significant due to the ease of privilege escalation once initial access is obtained. European organizations using dormakaba Access Manager 92xx-k7 should prioritize patching and implement compensating controls to limit exposure. Countries with high adoption of dormakaba physical access control systems and critical infrastructure relying on them are at greater risk.
AI Analysis
Technical Summary
CVE-2025-59106 identifies a critical security vulnerability in the dormakaba Access Manager 92xx-k7 product line, specifically in versions prior to BAME 06.00. The vulnerability stems from the web server binary, which handles all Web UI actions, running with root privileges. This violates the fundamental security principle of least privilege (CWE-272), which dictates that software components should operate with the minimum privileges necessary to perform their functions. Because the binary runs as root, any attacker who can execute arbitrary code on the system—potentially through other vulnerabilities or misconfigurations—can escalate their privileges directly to root without additional barriers. This escalation enables full control over the device, including the ability to manipulate access control configurations, disable security features, or pivot within the network. The CVSS v3.1 score of 8.8 reflects a high-severity rating, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No public exploits have been reported yet, but the vulnerability's nature makes it a prime candidate for exploitation once initial access is gained. The lack of available patches at the time of publication necessitates immediate attention from affected organizations. Dormakaba Access Manager is widely used in physical access control systems across various sectors, including corporate, government, and critical infrastructure environments, making this vulnerability particularly concerning for organizations relying on these systems for secure facility access.
Potential Impact
For European organizations, the impact of CVE-2025-59106 can be severe. Physical access control systems are critical components of security infrastructure, and compromise can lead to unauthorized physical access to sensitive areas, data centers, or operational facilities. The ability to escalate privileges to root on the Access Manager device means attackers could alter access permissions, disable alarms, or create backdoors, undermining both physical and cybersecurity defenses. This could facilitate espionage, theft, sabotage, or disruption of services. Organizations in sectors such as finance, healthcare, government, energy, and transportation are particularly at risk due to their reliance on secure access management. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within corporate networks, increasing the risk of broader compromise. The high CVSS score and network attack vector indicate that exploitation could be performed remotely, increasing the threat surface. The absence of a patch at the time of disclosure further elevates risk, necessitating immediate mitigation to prevent potential breaches.
Mitigation Recommendations
1. Immediate mitigation should focus on network segmentation and access controls to limit exposure of the dormakaba Access Manager devices to untrusted networks. 2. Implement strict firewall rules to restrict management interface access only to authorized administrators and monitoring systems. 3. Monitor logs and network traffic for unusual activity indicative of attempted exploitation or privilege escalation. 4. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous behavior on these devices. 5. Coordinate with dormakaba for timely updates and patches; prioritize upgrading to versions BAME 06.00 or later once available. 6. Conduct thorough vulnerability assessments and penetration tests on physical access control infrastructure to identify other potential weaknesses. 7. Enforce strong authentication and authorization policies for administrative access to the Access Manager. 8. Consider deploying compensating controls such as application whitelisting or containerization to limit the impact of code execution on the device. 9. Prepare incident response plans specifically addressing physical access control system compromises. 10. Educate security teams about the risks associated with least privilege violations and the importance of layered defenses.
Affected Countries
Germany, France, United Kingdom, Netherlands, Switzerland, Belgium, Austria, Italy, Spain, Sweden
CVE-2025-59106: CWE-272: Least Privilege Violation in dormakaba Access Manager 92xx-k7
Description
CVE-2025-59106 is a high-severity vulnerability in dormakaba Access Manager 92xx-k7 versions prior to BAME 06. 00. The core issue is that the binary responsible for the web server and executing all actions from the Web UI runs with root privileges, violating the least privilege principle (CWE-272). This design flaw allows an attacker who has already gained code execution on the system via other vulnerabilities to escalate privileges to root, enabling full control over the device. The vulnerability has a CVSS score of 8. 8, indicating high impact on confidentiality, integrity, and availability without requiring user interaction. Although no known exploits are currently in the wild, the risk is significant due to the ease of privilege escalation once initial access is obtained. European organizations using dormakaba Access Manager 92xx-k7 should prioritize patching and implement compensating controls to limit exposure. Countries with high adoption of dormakaba physical access control systems and critical infrastructure relying on them are at greater risk.
AI-Powered Analysis
Technical Analysis
CVE-2025-59106 identifies a critical security vulnerability in the dormakaba Access Manager 92xx-k7 product line, specifically in versions prior to BAME 06.00. The vulnerability stems from the web server binary, which handles all Web UI actions, running with root privileges. This violates the fundamental security principle of least privilege (CWE-272), which dictates that software components should operate with the minimum privileges necessary to perform their functions. Because the binary runs as root, any attacker who can execute arbitrary code on the system—potentially through other vulnerabilities or misconfigurations—can escalate their privileges directly to root without additional barriers. This escalation enables full control over the device, including the ability to manipulate access control configurations, disable security features, or pivot within the network. The CVSS v3.1 score of 8.8 reflects a high-severity rating, with an attack vector of network (AV:N), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). No public exploits have been reported yet, but the vulnerability's nature makes it a prime candidate for exploitation once initial access is gained. The lack of available patches at the time of publication necessitates immediate attention from affected organizations. Dormakaba Access Manager is widely used in physical access control systems across various sectors, including corporate, government, and critical infrastructure environments, making this vulnerability particularly concerning for organizations relying on these systems for secure facility access.
Potential Impact
For European organizations, the impact of CVE-2025-59106 can be severe. Physical access control systems are critical components of security infrastructure, and compromise can lead to unauthorized physical access to sensitive areas, data centers, or operational facilities. The ability to escalate privileges to root on the Access Manager device means attackers could alter access permissions, disable alarms, or create backdoors, undermining both physical and cybersecurity defenses. This could facilitate espionage, theft, sabotage, or disruption of services. Organizations in sectors such as finance, healthcare, government, energy, and transportation are particularly at risk due to their reliance on secure access management. Additionally, the vulnerability could be leveraged as a foothold for lateral movement within corporate networks, increasing the risk of broader compromise. The high CVSS score and network attack vector indicate that exploitation could be performed remotely, increasing the threat surface. The absence of a patch at the time of disclosure further elevates risk, necessitating immediate mitigation to prevent potential breaches.
Mitigation Recommendations
1. Immediate mitigation should focus on network segmentation and access controls to limit exposure of the dormakaba Access Manager devices to untrusted networks. 2. Implement strict firewall rules to restrict management interface access only to authorized administrators and monitoring systems. 3. Monitor logs and network traffic for unusual activity indicative of attempted exploitation or privilege escalation. 4. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect anomalous behavior on these devices. 5. Coordinate with dormakaba for timely updates and patches; prioritize upgrading to versions BAME 06.00 or later once available. 6. Conduct thorough vulnerability assessments and penetration tests on physical access control infrastructure to identify other potential weaknesses. 7. Enforce strong authentication and authorization policies for administrative access to the Access Manager. 8. Consider deploying compensating controls such as application whitelisting or containerization to limit the impact of code execution on the device. 9. Prepare incident response plans specifically addressing physical access control system compromises. 10. Educate security teams about the risks associated with least privilege violations and the importance of layered defenses.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- SEC-VLab
- Date Reserved
- 2025-09-09T07:53:12.879Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6977400b4623b1157c815ed6
Added to database: 1/26/2026, 10:20:59 AM
Last enriched: 2/3/2026, 8:41:06 AM
Last updated: 2/7/2026, 12:33:13 AM
Views: 49
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-25762: CWE-400: Uncontrolled Resource Consumption in adonisjs core
HighCVE-2026-25754: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in adonisjs core
HighCVE-2026-25644: CWE-295: Improper Certificate Validation in datahub-project datahub
HighCVE-2026-25804: CWE-287: Improper Authentication in antrea-io antrea
HighCVE-2026-25803: CWE-798: Use of Hard-coded Credentials in denpiligrim 3dp-manager
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.