CVE-2025-59105 Overview
CVE-2025-59105 is a missing encryption vulnerability affecting access control devices that allows attackers with physical access to desolder and modify flash memory contents. This hardware-level security flaw enables extraction and modification of sensitive data including system files, certificates, cryptographic keys, stored PINs, and credentials, ultimately leading to complete device compromise.
Critical Impact
Attackers with physical access can gain SSH root access on Linux-based K7 models and extract plaintext credentials from Windows CE-based K5 models, compromising the entire access control system.
Affected Products
- Linux-based K7 access control devices
- Windows CE-based K5 access control devices
- Dormakaba access control systems with unencrypted flash storage
Discovery Timeline
- 2026-01-26 - CVE CVE-2025-59105 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-59105
Vulnerability Analysis
This vulnerability stems from CWE-312 (Cleartext Storage of Sensitive Information), where critical security data is stored without encryption on the device's flash memory. The affected access control systems fail to implement proper cryptographic protection for sensitive files stored on the flash memory chip.
On Linux-based K7 models, attackers can modify essential system files such as /etc/passwd to create new root accounts or alter existing credentials. Additionally, stored certificates and cryptographic keys can be extracted, enabling further attacks on the access control infrastructure. The lack of secure boot or integrity verification means modified firmware will be accepted by the device upon reinstallation.
For Windows CE-based K5 models, the vulnerability is particularly severe as the Access Manager password is stored in plaintext within a SQLite database. This allows immediate credential extraction without any cryptographic attacks or brute forcing.
Root Cause
The root cause of this vulnerability is the absence of encryption for sensitive data stored on flash memory. The devices store critical security credentials, certificates, and configuration files in cleartext, making them readable and modifiable if an attacker gains physical access to the memory chip. This represents a fundamental design flaw in the device's security architecture, where hardware-level protections were not implemented during the product design phase.
Attack Vector
The attack requires physical access to the target device. An attacker must desolder the flash memory chip from the device's circuit board, connect it to an external reader or programmer, modify the stored data, and then resolder the chip back onto the device. While this attack requires time, specialized equipment, and technical expertise, the lack of encryption makes the actual data extraction and modification trivial once physical access is obtained.
The exploitation process involves:
- Gaining physical access to the access control device
- Desoldering the flash memory chip using appropriate tools
- Reading the flash contents using a memory programmer
- Extracting sensitive data such as /etc/passwd, certificates, and cryptographic keys
- Modifying files to establish persistent access (e.g., adding SSH keys or modifying passwords)
- Resoldering the modified chip back onto the device
- Gaining root access via SSH on K7 models or extracting plaintext passwords from SQLite databases on K5 models
Detection Methods for CVE-2025-59105
Indicators of Compromise
- Evidence of physical tampering on access control device enclosures
- Unexpected SSH login attempts or sessions on K7 model devices
- Modified timestamps on system files such as /etc/passwd or certificate stores
- Unauthorized user accounts appearing in system configurations
- Changes to stored certificates or cryptographic key material
Detection Strategies
- Implement tamper-evident seals on device enclosures and regularly inspect for signs of physical intrusion
- Monitor SSH authentication logs for unexpected root login attempts from internal networks
- Deploy file integrity monitoring (FIM) solutions to detect unauthorized modifications to critical system files
- Establish baseline configurations and periodically verify device configurations against known-good states
Monitoring Recommendations
- Enable detailed logging for all authentication events on access control devices
- Configure alerts for any modifications to privileged account credentials or system files
- Implement physical security monitoring in areas where access control devices are deployed
- Conduct regular security audits of access control device configurations
How to Mitigate CVE-2025-59105
Immediate Actions Required
- Restrict physical access to all affected access control devices through secure enclosures and controlled access areas
- Conduct a physical security audit of all deployed K5 and K7 devices to identify potential tampering
- Review access logs and user accounts on affected devices for signs of unauthorized access
- Contact Dormakaba for guidance on firmware updates or hardware replacement options
Patch Information
Organizations should consult the official Dormakaba Security Advisory for the latest remediation guidance. Additional technical details are available in the SEC Consult DKAccess Advisory and SEC Consult Dormakaba Advisory. As this is a hardware-level vulnerability related to missing encryption, remediation may require firmware updates that implement encryption or hardware replacement depending on the vendor's mitigation approach.
Workarounds
- Implement strong physical security controls around all access control devices, including locked enclosures and surveillance
- Segment access control device networks to limit the impact of a compromised device
- Implement additional authentication layers and monitoring for administrative access to these systems
- Consider implementing network-level access controls to restrict SSH access to authorized management stations only
- For K5 models, regularly rotate Access Manager passwords and monitor for unauthorized access attempts
# Physical security verification checklist
# Inspect devices for signs of tampering:
# - Check for scratches or marks around screws
# - Verify tamper-evident seals are intact
# - Look for signs of reflow soldering on PCB
# - Compare device serial numbers against inventory
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
