Vulnerability in dormakaba Access Managers Allows Unauthorized Configuration
CVE-2025-59097

9.3CRITICAL

Key Information:

Vendor

Dormakaba

Status
Access Manager 92xx-k5
Access Manager 92xx-k7
Vendor
CVE Published:
26 January 2026

What is CVE-2025-59097?

The exos 9300 application by dormakaba poses a significant security risk for Access Manager devices. The application allows configuration changes without prior authentication, relying solely on SOAP requests that can be manipulated by an attacker with network-level access. This lack of default security settings puts essential controls at risk, enabling attackers to reconfigure devices, open doors, change passwords, and potentially compromise the entire security infrastructure. Although enhanced security can be implemented via IPsec and mTLS, these configurations are not enabled by default. Consequently, many devices remain exposed to the internet, making them vulnerable to exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Access Manager 92xx-k5 92xx-K5: All Versions

Access Manager 92xx-k7 92xx-K7: Older than BAME 06.00 must be configured

References

https://r.sec-consult.com/dormakaba
technical-description
https://r.sec-consult.com/dkaccess
third-party-advisory
https://www.dormakabagroup.com/en/security-advisories
vendor-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Clemens Stockenreitner, SEC Consult Vulnerability Lab
Werner Schober, SEC Consult Vulnerability Lab
JSON
.