CVE-2025-59098: dormakaba Access Manager Disclosure Flaw

CVE-2025-59098 Overview

CVE-2025-59098 is an information disclosure vulnerability in the Dormakaba Access Manager trace functionality. The Access Manager implements a debug trace feature as a simple TCP socket that continuously broadcasts sensitive data without requiring authentication or encryption. An attacker with network-level access can connect to this socket using the provided TraceClient.exe tool or any TCP client to intercept sensitive information including Card IDs and PIN codes entered on registration units.

Critical Impact

Unauthenticated network attackers can capture all PIN codes entered on registration units and retrieve Card IDs, potentially enabling unauthorized physical access to secured facilities.

Affected Products

• Dormakaba Access Manager (versions with trace functionality enabled)
• Dormakaba Registration Units connected to affected Access Manager systems
• TraceClient.exe debugging tool ecosystem

Discovery Timeline

• 2026-01-26 - CVE CVE-2025-59098 published to NVD
• 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2025-59098

Vulnerability Analysis

This vulnerability represents a classic example of exposure of sensitive system information to an unauthorized control sphere (CWE-497). The Access Manager's trace functionality was designed as a debugging mechanism to help administrators troubleshoot device errors and issues. However, the implementation exposes a critical security flaw: the TCP socket broadcasting debug information operates without any authentication mechanism or transport encryption.

The data transmitted through this debugging interface varies based on the configured verbosity level. Critically, this verbosity level can be manipulated through two vectors: the HTTP(S) endpoint using the service interface password, or through the SOAP interface using a guessable device identifier. This means an attacker can potentially increase the verbosity level to maximize the sensitive data captured, even if the default verbosity setting would have limited the exposure.

The most severe consequence of this vulnerability is the exposure of PIN codes. As users enter their PINs on registration units, each button press is transmitted through the trace socket. An attacker passively monitoring this socket can reconstruct complete PIN codes, effectively bypassing the physical access control system entirely.

Root Cause

The root cause of this vulnerability is the implementation of a debug functionality without proper access controls. The developers implemented a TCP socket-based trace system that permanently broadcasts debugging data to any connected client. The design failed to incorporate fundamental security controls including authentication requirements before accepting connections, encryption of transmitted data, and proper access control lists to restrict which hosts can connect to the debug interface.

Attack Vector

The attack requires network-level access to the Access Manager device. An attacker on the same network segment can connect to the trace TCP socket using the TraceClient.exe tool provided by Dormakaba or any standard TCP client. Once connected, the attacker receives a continuous stream of debug information without any credential verification.

The attack can be enhanced by manipulating the verbosity level to capture more detailed information. This can be accomplished either by guessing the device identifier through the SOAP interface or by compromising the service interface password to access the HTTP(S) endpoint. With elevated verbosity, the attacker gains access to Card IDs and complete PIN entry sequences from all connected registration units.

Detection Methods for CVE-2025-59098

Indicators of Compromise

• Unusual or unauthorized TCP connections to the Access Manager trace socket port
• Multiple concurrent connections to the trace functionality from different IP addresses
• Network traffic patterns showing continuous data streams from Access Manager devices to unknown hosts
• Changes to the trace verbosity level through the SOAP interface or HTTP(S) endpoint

Detection Strategies

• Monitor network traffic for connections to the Access Manager trace port from unauthorized systems
• Implement network segmentation detection to identify traffic crossing security boundaries
• Audit SOAP interface calls that modify trace verbosity settings
• Review Access Manager logs for service interface password authentication attempts

Monitoring Recommendations

• Deploy network monitoring to detect long-lived TCP connections to Access Manager devices
• Implement IDS/IPS rules to alert on trace socket connection patterns
• Monitor for changes to Access Manager configuration settings, particularly verbosity levels
• Establish baseline network behavior for Access Manager devices to detect anomalous connections

How to Mitigate CVE-2025-59098

Immediate Actions Required

• Disable the trace functionality on all Access Manager devices if not required for operations
• Implement network segmentation to isolate Access Manager devices from untrusted network segments
• Deploy firewall rules to restrict access to the trace socket port to authorized administrative systems only
• Review and strengthen the service interface password

Patch Information

Consult the Dormakaba Security Advisories page for official patch information and firmware updates. Additional technical analysis is available from Sec-Consult's DKAccess Analysis and the Sec-Consult Dormakaba Advisory.

Workarounds

• Implement strict network access controls to prevent unauthorized systems from connecting to Access Manager trace ports
• Use VLANs or network segmentation to isolate physical access control systems from general network traffic
• Disable the trace functionality entirely when not actively debugging issues
• If trace functionality must remain enabled, implement VPN or other encrypted tunnels for authorized administrative access
• Change the device identifier if it uses a predictable or guessable value to prevent SOAP interface manipulation