CVE-2025-59102
Unauthorized Backup Access in Access Manager Exposes Sensitive Data
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dormakaba | exos_9300 | to BAME_06.00 (exc) |
| dormakaba | exos_9300 | to XAMB_04.06.212 (exc) |
| dormakaba | exos_9300 | to BAME_04.07.268 (exc) |
| dormakaba | exos_9300 | to BAME_05.01.88 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to access sensitive personal data such as unencrypted user PINs, encrypted MIFARE keys, and card data by exploiting weak authentication and session management flaws. This unauthorized access to personal and security-related data could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. Therefore, exploitation of this vulnerability undermines compliance with these standards by exposing sensitive user data and failing to ensure adequate data protection controls. [1, 2]
Can you explain this vulnerability to me?
This vulnerability involves the web server of the Access Manager, which allows downloading a backup of the local database stored on the device. This database contains sensitive information such as encrypted MIFARE keys, card data, and user PINs, with PINs stored unencrypted. An attacker can exploit this vulnerability by abusing session management issues, weak default passwords, or by setting a new password without prior authentication via the SOAP API, thereby gaining easy access to sensitive data on the device.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive data including encrypted keys, card data, and unencrypted user PINs. This exposure can compromise the security of the system, potentially allowing attackers to impersonate users, gain unauthorized access, or manipulate the system configuration.
What immediate steps should I take to mitigate this vulnerability?
Immediate steps to mitigate this vulnerability include ensuring that the default weak password is changed to a strong one, restricting access to the backup functionality by fixing session management issues, and disabling or securing the SOAP API to prevent unauthorized password changes. Additionally, monitor and control access to the web server to prevent unauthorized backup downloads.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if the dormakaba Access Manager devices on your network are running vulnerable firmware versions (notably 92xx-K5 versions prior to XAMB 04.06.212) and if the backup functionality is accessible without proper authentication. Since the backup can be downloaded via the web server's interface or SOAP API, network scanning for open HTTP ports serving the Access Manager web interface or SOAP endpoints can help. Additionally, checking for default or weak passwords and monitoring for unauthorized access attempts to the backup functionality is important. Specific commands are not provided in the resources, but general approaches include using tools like curl or wget to attempt accessing the backup URL or SOAP API endpoints, and network scanning tools (e.g., nmap) to identify devices running the vulnerable services. For example, you might use nmap to scan for HTTP services on typical ports and then use curl to try to download the backup file or interact with the SOAP API. However, no explicit commands are detailed in the provided resources. [1]