CVE-2025-59108 Overview
CVE-2025-59108 is a critical insecure default configuration vulnerability affecting the Dormakaba Access Manager web interface. By default, the password for the Access Manager's web interface is set to 'admin', and in the tested version, changing the password was not enforced. This allows unauthenticated attackers with network access to gain administrative control over the access management system using well-known default credentials.
Critical Impact
Attackers can leverage default 'admin' credentials to gain full administrative access to physical access control systems, potentially allowing unauthorized building entry, modification of access policies, and complete compromise of facility security.
Affected Products
- Dormakaba Access Manager (web interface)
- DKAccess systems with default configurations
Discovery Timeline
- 2026-01-26 - CVE CVE-2025-59108 published to NVD
- 2026-01-26 - Last updated in NVD database
Technical Details for CVE-2025-59108
Vulnerability Analysis
This vulnerability falls under CWE-1392 (Use of Default Credentials), representing a fundamental security configuration flaw. The Dormakaba Access Manager ships with a hardcoded default password of 'admin' for the web-based administrative interface. More critically, the application does not enforce a mandatory password change upon initial login or subsequent access, leaving systems perpetually vulnerable if administrators do not manually update credentials.
Physical access control systems are particularly sensitive targets, as compromise extends beyond data security to physical facility security. An attacker gaining administrative access can potentially unlock doors, modify access schedules, add unauthorized users, review access logs for reconnaissance, or disable security measures entirely.
Root Cause
The root cause is an insecure default configuration combined with missing security controls. The application ships with a trivially guessable default password ('admin') and fails to implement mandatory password change policies. This design flaw assumes administrators will proactively change credentials during deployment, which real-world experience shows is frequently overlooked, especially in physical security systems that may be installed by technicians without security expertise.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker with network access to the Access Manager web interface can simply attempt login using the default credentials 'admin'. Since no additional authentication factors or account lockout mechanisms prevent this, the attack is trivial to execute. The vulnerability can be exploited remotely if the web interface is exposed to the network, or locally if an attacker gains access to the internal network where the Access Manager resides.
The exploitation process is straightforward: identify the Access Manager web interface through network scanning, navigate to the login page, and authenticate using 'admin' as the password. Upon successful authentication, the attacker gains full administrative privileges over the access control system.
Detection Methods for CVE-2025-59108
Indicators of Compromise
- Successful authentication events to the Access Manager web interface from unexpected IP addresses or at unusual times
- Multiple access policy modifications in rapid succession
- New user accounts created without corresponding legitimate provisioning requests
- Access logs showing login sessions originating from outside normal administrative networks
Detection Strategies
- Monitor authentication logs for the Access Manager web interface and alert on successful logins from non-whitelisted IP addresses
- Implement network-level monitoring to detect connections to the Access Manager from unauthorized network segments
- Conduct periodic credential audits to verify default passwords have been changed across all access control appliances
- Deploy intrusion detection signatures to identify default credential authentication attempts
Monitoring Recommendations
- Enable detailed authentication logging on all Dormakaba Access Manager instances
- Integrate Access Manager logs with SIEM solutions for centralized monitoring and correlation
- Establish baseline administrative activity patterns and alert on deviations
- Monitor for bulk exports of access logs or user databases that may indicate data exfiltration
How to Mitigate CVE-2025-59108
Immediate Actions Required
- Immediately change the default 'admin' password on all Dormakaba Access Manager instances to a strong, unique password
- Audit all Access Manager installations to identify any systems still using default credentials
- Review access logs for signs of unauthorized administrative access
- Restrict network access to the Access Manager web interface to only authorized administrative workstations
Patch Information
Consult the Dormakaba Security Advisory for the latest security updates and firmware versions that may address this vulnerability. Additional technical details are available in the SEC Consult DKAccess Advisory and SEC Consult Dormakaba Advisory.
Workarounds
- Implement network segmentation to isolate Access Manager systems from general network access
- Deploy a VPN or jump host requirement for all administrative access to access control systems
- Enable IP-based access restrictions on the web interface if supported by the configuration
- Implement monitoring and alerting for any authentication attempts using known default credentials
Organizations should treat any system found with default credentials as potentially compromised and conduct a thorough security review of access logs and configuration changes.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
