CVE-2025-59103
Hardcoded Weak SSH Passwords in Access Manager 92xx K
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dormakaba | access_manager | to BAME_06.00 (exc) |
| dormakaba | access_manager | to XAMB_04.06.212 (exc) |
| dormakaba | access_manager | to XAMB_04.05.21 (exc) |
| dormakaba | access_manager | to BAME_04.05.16 (exc) |
| dormakaba | access_manager | to BAME_05.01.88 (exc) |
| dormakaba | access_manager | to BAME_04.07.268 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1391 | The product uses weak credentials (such as a default key or hard-coded password) that can be calculated, derived, reused, or guessed by an attacker. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Access Manager 92xx hardware revision K7, which runs Linux instead of Windows CE like older versions. An SSH service is exposed on port 22 with two users having hardcoded and weak passwords that can be easily guessed. Although one user's password is randomized after deployment if the device's configured date is before 2022, this randomization may not occur if the device clock is never set, the clock battery is changed, or the device is factory reset without receiving a time. This allows unauthorized access via SSH using weak or predictable credentials.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized attackers to gain SSH access to the device due to weak or hardcoded passwords. This unauthorized access could lead to compromise of the device, unauthorized control, data exposure, or disruption of services provided by the Access Manager 92xx device.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by scanning for devices exposing SSH service on port 22, specifically Access Manager 92xx hardware revision K7 devices. You can use network scanning tools like nmap to identify devices with port 22 open. For example, the command `nmap -p 22 <target-ip>` can be used to check if SSH is accessible. Additionally, attempting to SSH into the device using the known hardcoded usernames and weak or default passwords can help confirm the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include changing the default or hardcoded passwords on the affected devices to strong, unique passwords. Ensure that the device's clock is correctly set to trigger password randomization if applicable. If possible, restrict SSH access to trusted networks or IP addresses and consider disabling SSH if it is not required. Applying any available firmware updates or patches from the vendor is also recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access to physical access control systems, enabling attackers to unlock doors, reconfigure devices, and extract sensitive data such as card IDs and PINs. This unauthorized access and potential data exposure could lead to non-compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive personal data and secure access controls. The exposure of sensitive authentication data and the ability to bypass security controls undermine the confidentiality and integrity requirements mandated by these regulations. Therefore, exploitation of this vulnerability poses significant risks to compliance with such standards. [1, 2]