The dormakaba registration unit 9002, a PIN pad device used in access control systems, contains a hardware vulnerability identified as CVE-2025-59109. The device has an exposed UART header on its backside that transmits every button press, including sensitive PIN entries, in an unencrypted form. This design flaw allows an attacker with physical access to the device to remove it and install a hardware implant that connects to the UART interface. The implant can then exfiltrate the captured PIN data to an external system, for example via WiFi, without requiring any software-level exploitation or authentication. The vulnerability affects all versions of the device with software versions below SW0039. The attack vector relies on physical access and the ability to tamper with the hardware, which is facilitated by the device's plug-and-play design intended for easy replacement. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk to the confidentiality of PIN codes used for access control. The CVSS 4.0 score is 5.1 (medium severity), reflecting the need for physical access, low attack complexity, no privileges required, and high impact on confidentiality. The vulnerability does not affect integrity or availability of the device or system. This issue is categorized under CWE-1295, indicating debug messages or information leakage that reveals unnecessary sensitive information. The vulnerability is particularly concerning for organizations relying on dormakaba registration units for secure physical access, as compromised PINs could lead to unauthorized entry and potential downstream security breaches.

The primary impact of CVE-2025-59109 is the compromise of confidentiality of PIN codes entered on dormakaba registration unit 9002 devices. For European organizations, especially those in critical infrastructure, government, finance, healthcare, and large enterprises with physical access control systems, this vulnerability could enable attackers to bypass physical security controls by obtaining PINs covertly. Unauthorized access could lead to theft, espionage, or sabotage. Since the attack requires physical access and hardware tampering, organizations with less stringent physical security controls are at higher risk. The ease of implanting a hardware device that exfiltrates data wirelessly increases the stealth and persistence of the attack. The vulnerability does not directly affect system availability or data integrity but can facilitate further attacks once physical access is gained. The lack of known exploits in the wild currently limits immediate risk, but the vulnerability's nature makes it a significant concern for environments where dormakaba devices are deployed at scale. Organizations in Europe with large deployments of dormakaba access control systems should consider this a moderate risk that could escalate if exploited.

1. Physically secure all dormakaba registration unit 9002 devices to prevent unauthorized removal or tampering, including installing tamper-evident seals and monitoring devices with physical intrusion detection. 2. Restrict physical access to areas where these PIN pads are installed, using surveillance cameras and access logs to detect suspicious activity. 3. Conduct regular inspections of the devices to identify any unauthorized hardware implants or modifications. 4. Coordinate with dormakaba to obtain and deploy software updates or patches as soon as they become available (versions SW0039 or later). 5. Consider deploying additional authentication factors or alternative access control methods that do not rely solely on PIN entry to reduce reliance on vulnerable devices. 6. Educate security personnel and users about the risks of physical tampering and encourage prompt reporting of any anomalies. 7. Implement network segmentation and monitoring for any wireless signals in proximity to the devices that could indicate data exfiltration attempts. 8. Maintain an asset inventory and lifecycle management process to track device versions and ensure timely upgrades.