UART Interface Vulnerability in dormakaba Registration Units
CVE-2025-59109

5.1MEDIUM

Key Information:

Vendor

Dormakaba

Status
Dormakaba Registration Unit 9002
Vendor
CVE Published:
26 January 2026

What is CVE-2025-59109?

The dormakaba Registration Units 9002 feature an exposed UART header, allowing attackers to intercept and exfiltrate PIN data via the UART interface. This vulnerability stems from the design of the PIN Pad Units, which transmit every button press directly to the UART, making it susceptible to unauthorized access. An attacker can tamper with the device, install a hardware implant connected to the UART, and capture sensitive PIN information. Given the Plug-and-Play nature of these units, it is alarmingly easy for an attacker to conduct such an operation, posing significant risks to data security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

dormakaba registration unit 9002 <SW0039

References

https://r.sec-consult.com/dormakaba
technical-description
https://r.sec-consult.com/dkaccess
third-party-advisory
https://www.dormakabagroup.com/en/security-advisories
vendor-advisory

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Physical
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Clemens Stockenreitner, SEC Consult Vulnerability Lab
Werner Schober, SEC Consult Vulnerability Lab
JSON
.