Access Manager 92xx Vulnerability in Dormakaba's K7 Hardware Revision
CVE-2025-59103

9.2CRITICAL

Key Information:

Vendor

Dormakaba

Status
Access Manager 92xx-k5
Vendor
CVE Published:
26 January 2026

What is CVE-2025-59103?

The Access Manager 92xx, in its K7 hardware revision, runs on a Linux platform, unlike previous versions that operated on Windows CE. A significant security flaw has been identified where an SSH service is exposed on port 22, allowing potential unauthorized access. Two user accounts exist within the device, both featuring weak, hardcoded passwords that are susceptible to guesswork. Notably, although one of the user passwords can be randomized after initial deployment, this only occurs if the configured date is set prior to 2022, leaving devices vulnerable if the clock is never set, the battery is replaced, or if the device undergoes a factory reset without a subsequent time setting.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Access Manager 92xx-k5 92xx-K5: <BAME 05.01.88

References

https://r.sec-consult.com/dormakaba
technical-description
https://r.sec-consult.com/dkaccess
third-party-advisory
https://www.dormakabagroup.com/en/security-advisories
vendor-advisory

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Clemens Stockenreitner, SEC Consult Vulnerability Lab
Werner Schober, SEC Consult Vulnerability Lab
JSON
.