CVE-2025-59104
Unknown Unknown - Not Provided
Bootloader Command Injection via Debug Interface Enables Root Access

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: SEC Consult Vulnerability Lab

Description
With physical access to the device and enough time an attacker is able to solder test leads to the debug footprint (or use the 6-Pin tag-connect cable). Thus, the attacker gains access to the bootloader, where the kernel command line can be changed. An attacker is able to gain a root shell through this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59104
EUVD
EUVD-2025-206371
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
dormakaba access_manager to BAME_06.00 (exc)
dormakaba access_manager From BAME_04.07.268 (exc)
dormakaba access_manager to XAMB_04.06.212 (exc)
dormakaba access_manager to XAMB_04.05.21 (exc)
dormakaba access_manager to BAME_05.02.156 (exc)
dormakaba access_manager to BAME_05.01.88 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1234 System configuration protection may be bypassed during debug mode.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows an attacker with physical access and sufficient time to connect to the device's debug interface by soldering test leads or using a 6-Pin tag-connect cable. Through this access, the attacker can reach the bootloader and modify the kernel command line, ultimately gaining a root shell on the device.

Impact Analysis

An attacker exploiting this vulnerability can gain root-level access to the device, potentially allowing them to fully control the system, access sensitive data, modify system configurations, install malicious software, or disrupt device operations.

Mitigation Strategies

To mitigate this vulnerability, restrict physical access to the device to prevent attackers from soldering test leads or using the 6-Pin tag-connect cable to access the bootloader. Implement physical security controls such as locked enclosures and surveillance. Additionally, consider hardware modifications or protections that prevent unauthorized access to debug footprints.

Compliance Impact

This vulnerability allows attackers with physical access to gain root shell access and extract sensitive data such as PINs, card data, and credentials from the dormakaba exos 9300 physical access control system. Such unauthorized access and data extraction can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information. The ability to unlock doors and reconfigure devices without authentication also undermines physical security controls mandated by these standards. Therefore, exploitation of this vulnerability can result in non-compliance with common security and privacy regulations due to unauthorized data access and compromised physical security. [1, 2]

Detection Guidance

This vulnerability (CVE-2025-59104) requires physical access to the device to solder test leads or use a tag-connect cable to access the bootloader and gain root shell access. Detection on a network or system remotely is not feasible since it involves physical hardware manipulation. To detect if a device is vulnerable or has been tampered with, physical inspection of the device's debug ports for soldered leads or connected tag-connect cables is necessary. There are no specific network commands or software commands provided to detect this vulnerability remotely. Monitoring for unexpected root shell access or unauthorized bootloader modifications might require device-specific forensic analysis, but no explicit commands are given in the provided resources. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59104. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart