CVE-2025-59101
IP Spoofing Allows Unauthorized Access to Access Manager Interface
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dormakaba | access_manager | to BAME_06.00 (exc) |
| dormakaba | access_manager | to XAMB_04.06.212 (exc) |
| dormakaba | access_manager | to XAMB_04.05.21 (exc) |
| dormakaba | access_manager | to BAME_04.05.16 (exc) |
| dormakaba | access_manager | to BAME_05.01.88 (exc) |
| dormakaba | access_manager | to BAME_04.07.268 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-291 | The product uses an IP address for authentication. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to spoof IP addresses to gain unauthorized access to the Access Manager web interface, potentially leading to unauthorized control over physical access infrastructure and extraction of sensitive data such as card IDs and PINs. This unauthorized access and data exposure could result in non-compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data and control over access to secure systems. However, the provided resources do not explicitly discuss compliance impacts or regulatory considerations. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unauthorized access attempts that spoof IP addresses of previously authenticated users. Since authentication is based solely on IP address tracking without session tokens, network traffic analysis tools can be used to identify suspicious repeated access from different devices using the same IP address. Additionally, checking for unusual access patterns to the Access Manager web interface or SOAP API endpoints may help. Specific commands are not provided in the resources, but general network monitoring commands such as 'tcpdump' or 'Wireshark' to capture HTTP requests to the Access Manager, and reviewing logs for repeated successful authentication from different MAC addresses but the same IP could be useful. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying vendor patches as soon as they are available, enabling authentication mechanisms such as IPsec (for K5 models) or mTLS (for K7 models) to secure communication and prevent unauthorized access, enforcing strong passwords to avoid weak default credentials, enabling encryption for web and SOAP interfaces, and improving network segmentation to limit access to the Access Manager devices. These steps reduce the risk of IP spoofing and unauthorized control over the physical access system. [1, 2]
Can you explain this vulnerability to me?
This vulnerability occurs because the system authenticates users based solely on their IP address after a successful login, without using typical session tokens or cookies. Once an IP address has logged in successfully, it is treated as authenticated for subsequent requests. This allows an attacker to spoof the IP address of a logged-in user and gain unauthorized access to the Access Manager web interface.
How can this vulnerability impact me? :
An attacker who can spoof the IP address of a logged-in user can gain unauthorized access to the Access Manager web interface. This can lead to unauthorized control or manipulation of the system, potentially compromising sensitive data or system functionality.