Elevation of Privilege in Dormakaba Web Server
CVE-2025-59106

8.8HIGH

Key Information:

Vendor

Dormakaba

Status
Access Manager 92xx-k7
Vendor
CVE Published:
26 January 2026

What is CVE-2025-59106?

The Dormakaba web server operates with root privileges, allowing any actions executed from its Web UI to run with administrative rights. This configuration violates the principle of least privilege, posing a significant risk. Should an attacker leverage existing vulnerabilities to execute code, they could potentially gain complete control over the system, as they would be able to run commands at the highest privilege level.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Access Manager 92xx-k7 92xx-k7: <BAME 06.00

References

https://r.sec-consult.com/dormakaba
technical-description
https://r.sec-consult.com/dkaccess
third-party-advisory
https://www.dormakabagroup.com/en/security-advisories
vendor-advisory

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Clemens Stockenreitner, SEC Consult Vulnerability Lab
Werner Schober, SEC Consult Vulnerability Lab
JSON
.