CVE-2025-59108 is a critical security vulnerability identified in all versions of dormakaba's Access Manager 92xx-k5 product line. The root cause is the use of a default password 'admin' for the web interface that is not enforced to be changed during setup or operation. This design flaw falls under CWE-1392, which concerns the use of default credentials that can be exploited by attackers. The vulnerability allows unauthenticated remote attackers to access the management interface without any user interaction or prior authentication. The CVSS 4.0 vector (AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. An attacker gaining access could manipulate physical access controls, potentially disabling security mechanisms or granting unauthorized entry. Although no public exploits have been reported, the simplicity of exploitation and critical nature of the affected system make this a severe threat. The vulnerability affects all versions of the 92xx-K5 series, which are widely deployed in enterprise and critical infrastructure environments for physical security management.

The impact on European organizations is substantial due to the critical role dormakaba Access Manager 92xx-k5 plays in physical access control systems. Unauthorized access to the management interface could allow attackers to bypass physical security controls, leading to unauthorized entry into secure facilities, theft, espionage, or sabotage. This could compromise sensitive data centers, government buildings, healthcare facilities, and industrial sites. The high CVSS score reflects the potential for full compromise of confidentiality, integrity, and availability of the access control system. Disruption or manipulation of physical security could also have cascading effects on operational continuity and safety. Given the lack of enforced password changes, many deployments may remain vulnerable, increasing the risk of widespread exploitation. The absence of known exploits in the wild suggests a window for proactive mitigation before active attacks emerge.

Organizations should immediately audit all dormakaba Access Manager 92xx-k5 devices to identify those still using default credentials. The highest priority action is to change the default 'admin' password to a strong, unique password that follows best practices for complexity and length. Network segmentation should be implemented to isolate the management interface from general network access, restricting it to trusted administrative hosts only. Where possible, enable multi-factor authentication if supported by the device or management platform. Regularly monitor access logs for unauthorized login attempts or suspicious activity. Dormakaba should be contacted for firmware updates or patches that enforce password changes or improve authentication mechanisms. Additionally, organizations should consider deploying intrusion detection systems to alert on anomalous access patterns to physical access management systems. Training and awareness for administrators on the risks of default credentials and secure configuration are essential to prevent recurrence.