CVE-2025-59106: CWE-272: Least Privilege Violation in dormakaba Access Manager 92xx-k7
CVE-2025-59106 is a least privilege violation vulnerability in dormakaba Access Manager 92xx-k7 versions prior to BAME 06. 00. The web server binary responsible for executing all actions from the Web UI runs with root privileges, violating the principle of least privilege. If an attacker gains code execution through other vulnerabilities, they can execute commands with root-level privileges, potentially compromising the entire system. No known exploits are currently in the wild. This vulnerability primarily affects physical access control systems used in various organizations. European organizations using dormakaba Access Manager 92xx-k7 should prioritize patching or mitigating this issue to prevent privilege escalation. The severity is assessed as high due to the potential for full system compromise without additional authentication. Mitigation involves applying updates when available, isolating the device network-wise, and monitoring for suspicious activity. Countries with significant dormakaba deployments and critical infrastructure reliance, such as Germany, Switzerland, and the UK, are most at risk.
AI Analysis
Technical Summary
CVE-2025-59106 identifies a critical security vulnerability in the dormakaba Access Manager 92xx-k7 product line, specifically versions earlier than BAME 06.00. The core issue is a violation of the least privilege principle (CWE-272), where the binary that serves the web interface and executes all commands initiated from the Web UI operates with root privileges. This architectural flaw means that if an attacker can exploit any other vulnerability to achieve code execution on the device, they can escalate their privileges to root without additional barriers. The vulnerability does not itself provide a direct remote code execution vector but significantly amplifies the impact of any other exploit by granting full system control. The Access Manager 92xx-k7 is a physical access control system widely used in enterprise and critical infrastructure environments to manage secure entry points. The lack of a CVSS score indicates this is a newly published vulnerability, and no public exploits have been observed yet. However, the potential for privilege escalation to root level makes this a serious concern. The vulnerability highlights poor security design in running a critical service with excessive privileges, increasing the attack surface and risk of complete system compromise if chained with other vulnerabilities. Dormakaba has not yet released a patch, and no mitigation links are available at this time.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on dormakaba Access Manager 92xx-k7 for physical security management. Successful exploitation could allow attackers to gain root-level access to the device, enabling them to manipulate access control policies, disable alarms, create unauthorized access credentials, or disrupt physical security operations. This could lead to unauthorized physical access to sensitive facilities, data breaches, and operational disruptions. The vulnerability also increases the risk posed by other vulnerabilities, as it allows privilege escalation. Organizations in sectors such as government, finance, healthcare, and critical infrastructure are particularly at risk, as these sectors often deploy such access control systems and are attractive targets for attackers. The lack of known exploits currently reduces immediate risk but does not diminish the potential severity if combined with other vulnerabilities. Additionally, the root-level access could be leveraged to pivot into broader network environments, threatening confidentiality, integrity, and availability of enterprise systems.
Mitigation Recommendations
1. Immediate mitigation should focus on network segmentation and isolation of dormakaba Access Manager devices to limit exposure to untrusted networks. 2. Implement strict access controls and monitoring on the management interfaces to detect and respond to suspicious activities promptly. 3. Employ host-based intrusion detection or endpoint protection solutions where possible to monitor for unauthorized command execution. 4. Regularly audit and harden the device configuration, disabling unnecessary services and interfaces to reduce attack surface. 5. Coordinate with dormakaba for timely updates and patches; prioritize deployment of the BAME 06.00 version or later once available. 6. Conduct penetration testing and vulnerability assessments on physical access control systems to identify and remediate other potential vulnerabilities that could be chained with this privilege escalation. 7. Maintain an incident response plan that includes scenarios involving physical security system compromise. 8. Consider compensating controls such as multi-factor authentication for administrative access to the device management interface.
Affected Countries
Germany, Switzerland, United Kingdom, France, Netherlands, Belgium, Austria
CVE-2025-59106: CWE-272: Least Privilege Violation in dormakaba Access Manager 92xx-k7
Description
CVE-2025-59106 is a least privilege violation vulnerability in dormakaba Access Manager 92xx-k7 versions prior to BAME 06. 00. The web server binary responsible for executing all actions from the Web UI runs with root privileges, violating the principle of least privilege. If an attacker gains code execution through other vulnerabilities, they can execute commands with root-level privileges, potentially compromising the entire system. No known exploits are currently in the wild. This vulnerability primarily affects physical access control systems used in various organizations. European organizations using dormakaba Access Manager 92xx-k7 should prioritize patching or mitigating this issue to prevent privilege escalation. The severity is assessed as high due to the potential for full system compromise without additional authentication. Mitigation involves applying updates when available, isolating the device network-wise, and monitoring for suspicious activity. Countries with significant dormakaba deployments and critical infrastructure reliance, such as Germany, Switzerland, and the UK, are most at risk.
AI-Powered Analysis
Technical Analysis
CVE-2025-59106 identifies a critical security vulnerability in the dormakaba Access Manager 92xx-k7 product line, specifically versions earlier than BAME 06.00. The core issue is a violation of the least privilege principle (CWE-272), where the binary that serves the web interface and executes all commands initiated from the Web UI operates with root privileges. This architectural flaw means that if an attacker can exploit any other vulnerability to achieve code execution on the device, they can escalate their privileges to root without additional barriers. The vulnerability does not itself provide a direct remote code execution vector but significantly amplifies the impact of any other exploit by granting full system control. The Access Manager 92xx-k7 is a physical access control system widely used in enterprise and critical infrastructure environments to manage secure entry points. The lack of a CVSS score indicates this is a newly published vulnerability, and no public exploits have been observed yet. However, the potential for privilege escalation to root level makes this a serious concern. The vulnerability highlights poor security design in running a critical service with excessive privileges, increasing the attack surface and risk of complete system compromise if chained with other vulnerabilities. Dormakaba has not yet released a patch, and no mitigation links are available at this time.
Potential Impact
For European organizations, the impact of this vulnerability can be significant, especially for those relying on dormakaba Access Manager 92xx-k7 for physical security management. Successful exploitation could allow attackers to gain root-level access to the device, enabling them to manipulate access control policies, disable alarms, create unauthorized access credentials, or disrupt physical security operations. This could lead to unauthorized physical access to sensitive facilities, data breaches, and operational disruptions. The vulnerability also increases the risk posed by other vulnerabilities, as it allows privilege escalation. Organizations in sectors such as government, finance, healthcare, and critical infrastructure are particularly at risk, as these sectors often deploy such access control systems and are attractive targets for attackers. The lack of known exploits currently reduces immediate risk but does not diminish the potential severity if combined with other vulnerabilities. Additionally, the root-level access could be leveraged to pivot into broader network environments, threatening confidentiality, integrity, and availability of enterprise systems.
Mitigation Recommendations
1. Immediate mitigation should focus on network segmentation and isolation of dormakaba Access Manager devices to limit exposure to untrusted networks. 2. Implement strict access controls and monitoring on the management interfaces to detect and respond to suspicious activities promptly. 3. Employ host-based intrusion detection or endpoint protection solutions where possible to monitor for unauthorized command execution. 4. Regularly audit and harden the device configuration, disabling unnecessary services and interfaces to reduce attack surface. 5. Coordinate with dormakaba for timely updates and patches; prioritize deployment of the BAME 06.00 version or later once available. 6. Conduct penetration testing and vulnerability assessments on physical access control systems to identify and remediate other potential vulnerabilities that could be chained with this privilege escalation. 7. Maintain an incident response plan that includes scenarios involving physical security system compromise. 8. Consider compensating controls such as multi-factor authentication for administrative access to the device management interface.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- SEC-VLab
- Date Reserved
- 2025-09-09T07:53:12.879Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6977400b4623b1157c815ed6
Added to database: 1/26/2026, 10:20:59 AM
Last enriched: 1/26/2026, 10:37:49 AM
Last updated: 1/26/2026, 7:00:09 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-14756: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') in TP-Link Systems Inc. Archer MR600 v5.0
HighCVE-2026-24439: CWE-116 Improper Encoding or Escaping of Output in Shenzhen Tenda Technology Co., Ltd. W30E V2
LowCVE-2026-24435: CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains in Shenzhen Tenda Technology Co., Ltd. W30E V2
HighCVE-2026-24432: CWE-352 Cross-Site Request Forgery (CSRF) in Shenzhen Tenda Technology Co., Ltd. W30E V2
MediumCVE-2026-0925: Improper Validation of Specified Quantity in Input in Tanium Discover
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.