The vulnerability identified as CVE-2025-59107 affects dormakaba Access Manager 92xx-k5 devices, specifically the FWServiceTool software used to update device firmware over a network. The firmware updates are delivered as encrypted ZIP files, which require a password to decrypt and extract the firmware. This password is hard-coded statically within the FWServiceTool software and remains valid across multiple firmware versions. Because the password can be extracted from the tool, an attacker with network access can decrypt the firmware packages without authorization. This undermines the confidentiality and integrity of the firmware update process, potentially allowing attackers to analyze, modify, or replace firmware images. The vulnerability does not require any authentication or user interaction, and the attack vector is local network access (AV:L). The CVSS 4.0 base score is 8.5 (high severity), reflecting the ease of exploitation and the high impact on confidentiality and integrity. No patches have been published yet, and no exploits are known in the wild. The root cause is the CWE-798 weakness—use of hard-coded credentials—which is a common but critical security flaw in embedded and IoT devices. Dormakaba Access Managers are widely used in physical access control systems, making this vulnerability particularly concerning for facilities relying on these devices for security.

For European organizations, the impact of this vulnerability is significant due to the widespread use of dormakaba Access Manager 92xx-k5 devices in physical security infrastructure such as office buildings, data centers, and critical infrastructure sites. Exploitation could allow attackers to decrypt firmware updates, enabling reverse engineering or modification of firmware to implant backdoors or disrupt device operation. This could lead to unauthorized physical access, compromising the security of sensitive facilities. The confidentiality breach of firmware could also facilitate further attacks against the device or network. Given the vulnerability requires only local network access, attackers who gain internal network footholds could leverage this flaw to escalate their attack capabilities. The integrity of the access control system is at risk, potentially leading to operational disruptions or safety hazards. The absence of patches increases the urgency for organizations to implement compensating controls. The threat is particularly relevant for sectors with high physical security requirements, including government, finance, healthcare, and critical infrastructure operators across Europe.

1. Immediately restrict network access to the FWServiceTool and dormakaba Access Manager devices by implementing network segmentation and strict firewall rules to limit access only to authorized personnel and systems. 2. Monitor network traffic for unusual or unauthorized attempts to access the firmware update process or FWServiceTool communications. 3. Employ strong internal network security controls, including intrusion detection/prevention systems (IDS/IPS) and network access control (NAC), to detect and block suspicious activity. 4. Coordinate with dormakaba to obtain and apply firmware or software updates as soon as they become available that remove the hard-coded password and implement secure key management practices. 5. Until patches are released, consider out-of-band firmware update methods or manual verification of firmware integrity using cryptographic hashes if supported. 6. Conduct regular security audits of physical access control systems to detect anomalies or signs of tampering. 7. Educate security and IT staff about the vulnerability and the importance of limiting network exposure of access control devices. 8. Implement multi-factor authentication and logging on management interfaces where possible to detect unauthorized access attempts.