CVE-2025-59098
Unknown Unknown - Not Provided
Unauthenticated TCP Trace Data Exposure in dormakaba Access Manager

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: SEC Consult Vulnerability Lab

Description
The Access Manager is offering a trace functionality to debug errors and issues with the device. The trace functionality is implemented as a simple TCP socket. A tool called TraceClient.exe, provided by dormakaba via the Access Manager web interface, is used to connect to the socket and receive debug information. The data is permanently broadcasted on the TCP socket. The socket can be accessed without any authentication or encryption. The transmitted data is based on the set verbosity level. The verbosity level can be set using the http(s) endpoint with the service interface password or with the guessable identifier of the device via the SOAP interface. The transmitted data contains sensitive data like the Card ID as well as all button presses on Registration units. This allows an attacker with network level access to retrieve all entered PINs on a registration unit.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59098
EUVD
EUVD-2025-206362
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dormakaba access_manager *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the Access Manager's trace functionality, which broadcasts debug information over a TCP socket without any authentication or encryption. An attacker with network access can connect to this socket and receive sensitive data, including Card IDs and all button presses on Registration units, such as entered PINs. The verbosity level of the transmitted data can be set via HTTP(S) or SOAP interfaces, potentially allowing attackers to increase the amount of sensitive information exposed.

Impact Analysis

The vulnerability can lead to unauthorized disclosure of sensitive information, such as Card IDs and PINs entered on Registration units. An attacker with network access can intercept this data, potentially leading to unauthorized access, identity theft, or other security breaches involving the affected devices.

Detection Guidance

This vulnerability can be detected by scanning the network for open TCP sockets associated with the Access Manager's trace functionality that broadcast debug information without authentication or encryption. You can use network scanning tools like nmap to identify open TCP ports related to the Access Manager device. For example, running a command such as 'nmap -sV -p <port> <target-ip>' can help detect the open trace socket. Additionally, using tools like netcat (nc) to connect to the suspected TCP socket (e.g., 'nc <target-ip> <port>') can verify if debug information is being broadcasted. Monitoring network traffic for unencrypted debug data containing sensitive information like Card IDs or button presses can also indicate the presence of this vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting network access to the TCP socket used for the trace functionality to trusted administrators only, ideally by implementing network segmentation or firewall rules to block unauthorized access. Disabling the trace functionality if it is not required can prevent exposure. Additionally, changing or securing the service interface password and avoiding the use of guessable device identifiers can reduce the risk of unauthorized verbosity level changes. Since the socket lacks authentication and encryption, applying network-level protections is critical to prevent attackers from intercepting sensitive debug data.

Compliance Impact

This vulnerability exposes sensitive data such as Card IDs and PIN entries without authentication or encryption, which could lead to unauthorized access to personal and security information. Such exposure likely violates data protection requirements in standards like GDPR and HIPAA that mandate safeguarding personal and sensitive information against unauthorized access and ensuring confidentiality and integrity of data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59098. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart