CVE-2025-59102 Overview
CVE-2025-59102 is a sensitive data exposure vulnerability affecting the Dormakaba Access Manager web server. The web server provides functionality to download a backup of the local database stored on the device, which contains the entire system configuration including encrypted MIFARE keys, card data, and user PINs. Critically, user PINs are stored unencrypted within this database backup.
This vulnerability becomes significantly more dangerous when combined with other identified weaknesses in the Access Manager. An attacker can gain access to the backup functionality by exploiting the session management vulnerability (CVE-2025-59101), leveraging weak default passwords (CVE-2025-59108), or setting a new password without prior authentication through the SOAP API (CVE-2025-59097). This chain of vulnerabilities allows unauthorized access to highly sensitive access control data.
Critical Impact
Attackers can retrieve unencrypted user PINs, encrypted MIFARE keys, and complete card data from the Access Manager database backup, potentially compromising physical security systems.
Affected Products
- Dormakaba Access Manager
Discovery Timeline
- 2026-01-26 - CVE-2025-59102 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-59102
Vulnerability Analysis
This vulnerability is classified under CWE-312 (Cleartext Storage of Sensitive Information). The fundamental security flaw lies in the storage architecture of the Access Manager's local database. When the backup functionality is invoked, the exported database file contains sensitive credentials and access control data in an insecure manner.
The most severe aspect of this vulnerability is that user PINs are stored without any encryption. While MIFARE keys are encrypted in the backup, the presence of plaintext PINs represents a significant security failure. Physical access control systems rely on the confidentiality of these credentials to maintain facility security.
The vulnerability is network-accessible, though it requires privileged access to the web interface. However, this privilege requirement is effectively nullified by the presence of related vulnerabilities that allow authentication bypass. The attack chain involving CVE-2025-59097, CVE-2025-59101, or CVE-2025-59108 means that the high privilege requirement can be easily circumvented.
Root Cause
The root cause stems from insecure data storage practices within the Access Manager's database architecture. The application fails to implement proper encryption for sensitive user credentials, specifically storing user PINs in cleartext. Additionally, the backup functionality does not implement adequate access controls or encryption for the exported database files, allowing anyone with web interface access to retrieve the complete system configuration.
Attack Vector
The attack leverages network access to the Access Manager's web server. An attacker first gains authenticated access to the web interface through one of several available methods: exploiting the session management vulnerability, using weak default credentials, or setting a new password via the unauthenticated SOAP API endpoint.
Once authenticated, the attacker can utilize the backup download functionality to retrieve the complete database file. This file can then be analyzed offline to extract sensitive information including plaintext user PINs, encrypted MIFARE keys (which may be vulnerable to offline attacks), card data, and complete system configuration details.
The attack does not require physical access to the device and can be conducted remotely over the network, making it particularly dangerous for internet-exposed Access Manager installations.
Detection Methods for CVE-2025-59102
Indicators of Compromise
- Unexpected database backup download requests in web server access logs
- Multiple authentication attempts or session anomalies preceding backup downloads
- Unusual SOAP API activity, particularly password change requests without prior authentication
- Access to backup functionality from unfamiliar IP addresses or at unusual times
Detection Strategies
- Monitor web server logs for requests to backup download endpoints
- Implement alerting on database export functionality usage
- Track authentication events and correlate with backup access patterns
- Review SOAP API request logs for unauthenticated administrative actions
Monitoring Recommendations
- Enable verbose logging on the Access Manager web interface
- Deploy network monitoring to detect data exfiltration patterns matching database file sizes
- Implement SIEM rules to correlate authentication bypass indicators with backup access
- Regularly audit user accounts and access patterns on Access Manager devices
How to Mitigate CVE-2025-59102
Immediate Actions Required
- Restrict network access to Access Manager web interfaces to trusted management networks only
- Change all default passwords immediately
- Review and audit all existing user accounts and access privileges
- Consider rotating user PINs and MIFARE credentials as a precautionary measure
Patch Information
Organizations should consult the Dormakaba Security Advisories page for official patches and firmware updates addressing this vulnerability. Additional technical details are available from the SEC Consult DKAccess Advisory and SEC Consult Dormakaba Advisory.
Workarounds
- Isolate Access Manager devices on dedicated management VLANs with strict firewall rules
- Implement network-level access controls to restrict who can reach the web interface
- Disable or restrict the backup functionality if not operationally required
- Deploy a web application firewall (WAF) to monitor and filter requests to the management interface
- Enable multi-factor authentication for administrative access where supported
# Network isolation example - restrict access to Access Manager
# Add firewall rules to limit web interface access to management hosts only
iptables -A INPUT -p tcp --dport 80 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -s 10.0.100.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j DROP
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
