CVE-2025-59105
Unknown Unknown - Not Provided
Flash Memory Tampering Enables Root Access on Linux K7 Devices

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: SEC Consult Vulnerability Lab

Description
With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption. Thus, essential files, such as "/etc/passwd", as well as stored certificates, cryptographic keys, stored PINs and so on can be modified and read, in order to gain SSH root access on the Linux-based K7 model. On the Windows CE based K5 model, the password for the Access Manager can additionally be read in plain text from the stored SQLite database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59105
EUVD
EUVD-2025-206374
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
dormakaba access_manager to BAME_06.00 (exc)
dormakaba access_manager From BAME_04.07.268 (exc)
dormakaba access_manager From BAME_05.01.88 (exc)
dormakaba access_manager From BAME_06.00 (exc)
dormakaba access_manager to XAMB_04.06.212 (exc)
dormakaba access_manager to XAMB_04.05.21 (exc)
dormakaba access_manager to BAME_04.05.16 (exc)
dormakaba access_manager to BAME_04.07.268 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows an attacker with physical access to the device and sufficient time to desolder the flash memory, modify its contents, and then reinstall it because the flash memory is not encrypted. This enables the attacker to read and modify essential files such as /etc/passwd, stored certificates, cryptographic keys, and stored PINs. On the Linux-based K7 model, this can lead to gaining SSH root access. On the Windows CE based K5 model, the password for the Access Manager can be read in plain text from the stored SQLite database.

Impact Analysis

The vulnerability can lead to unauthorized access to the device with root privileges on Linux-based K7 models, allowing an attacker to control the system via SSH. It also exposes sensitive information such as stored certificates, cryptographic keys, and PINs, which can be used for further attacks or impersonation. On Windows CE based K5 models, the Access Manager password can be obtained in plain text, compromising access control. Overall, this can result in a complete compromise of the device's security and confidentiality.

Mitigation Strategies

To mitigate this vulnerability, restrict physical access to the affected devices to prevent attackers from desoldering and modifying the flash memory. Additionally, consider implementing hardware-level encryption for flash memory to protect stored sensitive files and credentials. Since the vulnerability involves missing encryption and physical tampering, physical security controls are critical.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59105. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart