CVE-2025-59104
Bootloader Command Injection via Debug Interface Enables Root Access
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dormakaba | access_manager | to BAME_06.00 (exc) |
| dormakaba | access_manager | From BAME_04.07.268 (exc) |
| dormakaba | access_manager | to XAMB_04.06.212 (exc) |
| dormakaba | access_manager | to XAMB_04.05.21 (exc) |
| dormakaba | access_manager | to BAME_05.02.156 (exc) |
| dormakaba | access_manager | to BAME_05.01.88 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1234 | System configuration protection may be bypassed during debug mode. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers with physical access to gain root shell access and extract sensitive data such as PINs, card data, and credentials from the dormakaba exos 9300 physical access control system. Such unauthorized access and data extraction can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information. The ability to unlock doors and reconfigure devices without authentication also undermines physical security controls mandated by these standards. Therefore, exploitation of this vulnerability can result in non-compliance with common security and privacy regulations due to unauthorized data access and compromised physical security. [1, 2]
Can you explain this vulnerability to me?
This vulnerability allows an attacker with physical access and sufficient time to connect to the device's debug interface by soldering test leads or using a 6-Pin tag-connect cable. Through this access, the attacker can reach the bootloader and modify the kernel command line, ultimately gaining a root shell on the device.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain root-level access to the device, potentially allowing them to fully control the system, access sensitive data, modify system configurations, install malicious software, or disrupt device operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, restrict physical access to the device to prevent attackers from soldering test leads or using the 6-Pin tag-connect cable to access the bootloader. Implement physical security controls such as locked enclosures and surveillance. Additionally, consider hardware modifications or protections that prevent unauthorized access to debug footprints.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability (CVE-2025-59104) requires physical access to the device to solder test leads or use a tag-connect cable to access the bootloader and gain root shell access. Detection on a network or system remotely is not feasible since it involves physical hardware manipulation. To detect if a device is vulnerable or has been tampered with, physical inspection of the device's debug ports for soldered leads or connected tag-connect cables is necessary. There are no specific network commands or software commands provided to detect this vulnerability remotely. Monitoring for unexpected root shell access or unauthorized bootloader modifications might require device-specific forensic analysis, but no explicit commands are given in the provided resources. [1]