Database Vulnerability in Access Manager by Dormakaba
CVE-2025-59102

6.9MEDIUM

Key Information:

Vendor

Dormakaba

Status
Access Manager 92xx-k5
Vendor
CVE Published:
26 January 2026

What is CVE-2025-59102?

The Access Manager's web server allows users to download backups of the local database, which contains sensitive configurations, including unencrypted user PINs and encrypted MIFARE keys. Attackers can gain unauthorized access to this backup due to session management vulnerabilities or by exploiting weak default passwords. Additionally, the lack of authentication measures in the SOAP API allows malicious users to alter passwords without proper verification, further facilitating access to other sensitive data stored on the device.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Access Manager 92xx-k5 92xx-K5: <XAMB 04.06.212

References

https://r.sec-consult.com/dormakaba
technical-description
https://r.sec-consult.com/dkaccess
third-party-advisory
https://www.dormakabagroup.com/en/security-advisories
vendor-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Clemens Stockenreitner, SEC Consult Vulnerability Lab
Werner Schober, SEC Consult Vulnerability Lab
JSON
.