CVE-2025-59104 Overview
CVE-2025-59104 is a hardware vulnerability that allows an attacker with physical access to a device to exploit an exposed debug interface. By soldering test leads to a debug footprint or using a 6-Pin tag-connect cable, an attacker can gain access to the bootloader. This access enables modification of the kernel command line, ultimately granting the attacker a root shell on the compromised device.
Critical Impact
Physical access to the debug interface allows complete system compromise, enabling attackers to obtain root-level access and full control over the affected device.
Affected Products
- Dormakaba access control devices (specific models not disclosed in advisory)
- Devices with exposed debug footprints or tag-connect interfaces
- Embedded systems with unprotected bootloader access
Discovery Timeline
- 2026-01-26 - CVE CVE-2025-59104 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-59104
Vulnerability Analysis
This vulnerability represents a hardware security weakness stemming from the presence of an accessible debug interface on affected devices. The debug footprint, designed for manufacturing diagnostics and firmware development, remains active and unprotected on production units. The attack requires physical access to the device and specialized hardware (test leads or a 6-Pin tag-connect cable) to interface with the debug port.
Once connected to the debug interface, the attacker gains direct access to the device's bootloader. The bootloader, which initializes the hardware and loads the operating system kernel, accepts modifications to the kernel command line parameters without proper authentication or integrity verification. By manipulating these parameters, an attacker can instruct the system to boot into single-user mode or spawn a root shell directly, bypassing all normal authentication mechanisms.
This vulnerability is classified under CWE-1234 (Hardware Internal or Debug Modes Allow Override of Locks), which addresses security issues related to debug modes that permit bypassing security controls.
Root Cause
The root cause of this vulnerability is the failure to disable or protect the debug interface on production devices. Hardware debug interfaces are commonly used during development and manufacturing for testing and firmware programming. However, when these interfaces remain accessible on deployed devices without proper protection mechanisms such as hardware fuses, secure boot chains, or debug authentication, they create a direct pathway for attackers to compromise the system.
Additionally, the bootloader lacks integrity verification for the kernel command line parameters, allowing arbitrary modifications that can alter the system's boot behavior.
Attack Vector
The attack vector requires physical access to the target device. An attacker must locate the debug footprint on the device's circuit board, which may require opening the device enclosure. Using either soldered test leads or a 6-Pin tag-connect cable, the attacker establishes a connection to the debug interface.
Through this connection, the attacker interacts with the bootloader to modify the kernel command line. By appending parameters such as init=/bin/sh or single, the attacker can instruct the kernel to boot into a root shell or single-user mode without requiring authentication. This grants immediate root-level access to the device's operating system and all its data and functionality.
The attack, while requiring physical presence, can be performed relatively quickly by an attacker with appropriate hardware knowledge and equipment. The SEC Consult Security Advisory provides additional technical details on the exploitation methodology.
Detection Methods for CVE-2025-59104
Indicators of Compromise
- Physical signs of tampering on device enclosures or circuit boards
- Evidence of soldering or test probe contact marks near debug footprints
- Unexpected system boot configurations or modified kernel parameters
- Unauthorized root-level processes or modifications to system files
Detection Strategies
- Implement tamper-evident seals on device enclosures and regularly inspect for breaches
- Monitor boot logs for unexpected kernel command line parameters or boot mode changes
- Deploy physical intrusion detection systems in areas housing sensitive devices
- Conduct periodic physical security audits of deployed devices
Monitoring Recommendations
- Establish baseline configurations for bootloader and kernel parameters and alert on deviations
- Implement centralized logging for device boot events where technically feasible
- Monitor for unauthorized physical access to device installation locations
- Review access logs for areas containing vulnerable devices
How to Mitigate CVE-2025-59104
Immediate Actions Required
- Restrict physical access to affected devices through secure installation practices
- Apply tamper-evident seals to device enclosures to detect physical intrusion attempts
- Audit all deployed devices for signs of prior tampering or unauthorized access
- Contact Dormakaba for vendor-specific guidance and updates
Patch Information
Vendor mitigation guidance is available through the Dormakaba Security Advisories page. Organizations should consult with the vendor regarding hardware-based mitigations such as firmware updates that implement secure boot verification or disable debug interfaces.
For detailed technical information about this vulnerability and recommended mitigations, refer to the SEC Consult Security Advisory.
Workarounds
- Deploy devices in physically secured locations with restricted and monitored access
- Implement physical tamper detection mechanisms on device enclosures
- Consider epoxy or conformal coating over debug interfaces to obstruct physical access
- Establish regular physical security inspection schedules for all deployed devices
Physical security controls are essential for mitigating this vulnerability, as the attack vector requires direct hardware access. Organizations should evaluate the physical security posture of all device deployment locations.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
