CVE-2025-59100 Overview
CVE-2025-59100 is an authentication bypass vulnerability in the web interface of Dormakaba access control systems. The web interface provides functionality to export the internal SQLite database, which triggers an automatic download followed by a device reboot. Under normal operation, the exported database is deleted after the reboot. However, due to a race condition or incomplete cleanup process, the device sometimes fails to reboot or fails to delete the export, leaving the database file accessible at a predictable path without requiring authentication.
This vulnerability exposes highly sensitive data including plaintext passwords, card PINs, encrypted Mifare sitekeys, and other critical access control credentials to unauthenticated attackers.
Critical Impact
Unauthenticated attackers can access exported SQLite databases containing passwords, card PINs, and encrypted Mifare sitekeys, potentially compromising physical access control systems.
Affected Products
- Dormakaba DKAccess web interface
- Dormakaba access control systems with web-based management
Discovery Timeline
- 2026-01-26 - CVE CVE-2025-59100 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-59100
Vulnerability Analysis
This vulnerability is classified under CWE-285 (Improper Authorization), reflecting the fundamental failure to enforce authentication on a sensitive resource. The web interface's database export functionality creates a temporary file at a predictable, web-accessible location. The design assumes that the immediate reboot and subsequent file deletion provide adequate protection for this sensitive data.
The root cause lies in the unreliable cleanup mechanism that depends on a successful reboot sequence. When the reboot fails to occur or the deletion process is interrupted, the exported database remains accessible. Since the export path lacks authentication controls, any network-accessible attacker can directly request the database file and retrieve its contents.
Root Cause
The vulnerability stems from improper authorization controls on the database export file path combined with an unreliable cleanup mechanism. The system relies on device reboot behavior to secure sensitive data rather than implementing proper access controls on the exported file. This creates a window of opportunity where authentication is not enforced on sensitive database exports.
Attack Vector
An attacker with network access to the Dormakaba web interface can exploit this vulnerability by monitoring for or triggering database export operations. Once an export is created, the attacker can directly access the predictable file path without authentication. If the device fails to reboot or the cleanup process fails, the attacker gains access to the full database contents.
The attack requires network connectivity to the target device and relies on the timing window when the exported database exists but has not been deleted. The presence of user interaction (triggering the export) is typically required, though attackers may wait for legitimate administrative operations to create export files.
Detection Methods for CVE-2025-59100
Indicators of Compromise
- Unexpected HTTP requests to database export file paths from external IP addresses
- Multiple failed or successful access attempts to SQLite database files via the web interface
- Unusual file access patterns on the device's web-accessible directories
- Network traffic containing SQLite database signatures from access control devices
Detection Strategies
- Monitor web server logs for requests to database export paths without corresponding authenticated sessions
- Implement network traffic analysis to detect SQLite file transfers from access control systems
- Deploy file integrity monitoring on database export directories
- Configure alerts for unexpected device reboot failures or anomalies
Monitoring Recommendations
- Enable verbose logging on Dormakaba web interfaces to capture all file access attempts
- Implement network segmentation monitoring to detect unauthorized access to access control management interfaces
- Review authentication logs for patterns indicating reconnaissance of export functionality
- Deploy SentinelOne Singularity to monitor endpoint behavior and detect unauthorized database access attempts
How to Mitigate CVE-2025-59100
Immediate Actions Required
- Restrict network access to Dormakaba web interfaces using firewall rules and network segmentation
- Implement additional authentication controls at the network layer (VPN, IP allowlisting)
- Audit access control devices for any residual exported database files and remove them immediately
- Monitor for any unauthorized access to exported database files
Patch Information
Consult the Dormakaba Security Advisory for official patch information and firmware updates. Additional technical details are available from the SEC Consult DKAccess Advisory and the SEC Consult Dormakaba Advisory.
Organizations should apply vendor-provided security updates as soon as they become available and verify that the updated firmware properly enforces authentication on database export file paths.
Workarounds
- Isolate access control management interfaces on dedicated network segments not accessible from general corporate networks
- Implement reverse proxy authentication in front of the web interface to add an additional authentication layer
- Disable or restrict the database export functionality if not operationally required
- Configure monitoring to alert on any access to database export file paths
# Network segmentation example - restrict access to management interface
# Only allow specific management workstations to access the device
iptables -A INPUT -p tcp --dport 80 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
