CVE-2025-59109: dormakaba PIN Pad Information Disclosure

CVE-2025-59109 Overview

CVE-2025-59109 is a hardware vulnerability affecting dormakaba registration units 9002 (PIN Pad Units) where an exposed UART header on the backside of the device allows attackers with physical access to exfiltrate user PINs. The PIN pad transmits every button press to the UART interface, enabling an attacker to capture sensitive authentication credentials by installing a hardware implant that connects to this interface.

Critical Impact

Physical access attackers can exfiltrate user PINs by exploiting the exposed UART debug interface on dormakaba 9002 PIN Pad Units, potentially compromising access control security for protected facilities.

Affected Products

• dormakaba registration units 9002 (PIN Pad Units)
• dormakaba Access Control Systems utilizing 9002 PIN Pads

Discovery Timeline

• 2026-01-26 - CVE CVE-2025-59109 published to NVD
• 2026-01-27 - Last updated in NVD database

Technical Details for CVE-2025-59109

Vulnerability Analysis

This vulnerability falls under CWE-1295 (Debug Messages Revealing Unnecessary Information), which describes scenarios where debug interfaces or logging mechanisms expose sensitive data that should not be accessible. The dormakaba 9002 PIN Pad Units contain a UART (Universal Asynchronous Receiver-Transmitter) debug header that remains exposed and active on production devices. When users enter their PIN codes, each button press is transmitted to this UART interface in real-time, creating a significant side-channel for credential theft.

The Plug-and-Play design philosophy of these access control devices, while intended for easy maintenance and replacement, inadvertently facilitates physical attacks. An adversary can quickly remove the PIN pad from its mounting location, access the UART header on the backside, and install a compact hardware implant capable of capturing and exfiltrating the transmitted data.

Root Cause

The root cause of this vulnerability is the failure to disable or secure debug interfaces on production hardware. UART debug headers are commonly used during development and manufacturing for diagnostics and firmware updates but should be disabled or protected before deployment. In this case, the UART interface remains fully functional and accessible, transmitting sensitive user input data without any encryption or access controls.

Additionally, the device's Plug-and-Play design philosophy prioritized ease of installation and replacement over physical security, making it trivial for attackers to gain temporary physical access to the device's internals without triggering security alerts.

Attack Vector

The attack requires physical access to the dormakaba 9002 PIN Pad Unit. An attacker can exploit this vulnerability through the following attack chain:

1. Device Removal: Leverage the Plug-and-Play design to quickly remove the PIN pad from its installation point
2. Hardware Implant Installation: Access the exposed UART header on the device's backside and connect a small hardware implant (e.g., microcontroller with WiFi capability)
3. Device Reinstallation: Return the modified device to its original location
4. Data Exfiltration: The implant captures all button presses transmitted over UART and exfiltrates the data wirelessly to an attacker-controlled system
5. Credential Harvesting: Collected PINs can be used to gain unauthorized access to protected areas

Since the UART interface transmits every keystroke, an attacker can easily correlate button sequences to extract complete PIN codes entered by legitimate users.

Detection Methods for CVE-2025-59109

Indicators of Compromise

• Physical tampering signs on PIN pad units (scratches, gaps, loose mounting)
• Unexpected wireless signals originating from or near access control devices
• Unauthorized access events following PIN pad maintenance or removal
• Discovery of unauthorized hardware components during device inspection

Detection Strategies

• Implement regular physical inspections of PIN pad devices to detect tampering
• Deploy RF detection equipment to identify unauthorized wireless transmitters near access control points
• Monitor access control logs for anomalous authentication patterns that may indicate credential theft
• Establish chain-of-custody procedures for all physical access control devices

Monitoring Recommendations

• Create baseline physical security profiles for all installed PIN pad units
• Implement tamper-evident seals on device mounting points and enclosures
• Monitor for unusual access patterns such as successful authentications outside normal business hours
• Correlate physical security camera footage with access control events

How to Mitigate CVE-2025-59109

Immediate Actions Required

• Conduct physical inspection of all deployed dormakaba 9002 PIN Pad Units for signs of tampering
• Apply tamper-evident seals or security tape to device enclosures and mounting points
• Enhance physical security monitoring around access control points
• Review access logs for any suspicious authentication activity

Patch Information

Consult the Dormakaba Security Advisory page for official guidance and any available firmware updates or hardware revisions that address this vulnerability. Additional technical analysis is available from SEC Consult.

Workarounds

• Install additional physical security measures (cameras, cages, locked enclosures) around PIN pad devices
• Implement multi-factor authentication requiring additional credentials beyond PIN entry
• Consider replacing vulnerable units with models that include hardware security features such as tamper detection
• Apply epoxy or physical blocking to the UART header to prevent easy access (note: may void warranty and complicate legitimate maintenance)

# Physical security checklist for dormakaba 9002 PIN Pads
# 1. Document all installed PIN pad locations
# 2. Apply tamper-evident seals to device enclosures
# 3. Photograph baseline device condition for comparison
# 4. Schedule regular physical inspection intervals
# 5. Implement access logging for maintenance personnel