CVE-2025-59105
Unknown Unknown - Not Provided

Flash Memory Tampering Enables Root Access on Linux K7 Devices

Vulnerability report for CVE-2025-59105, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: SEC Consult Vulnerability Lab

Description

With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption. Thus, essential files, such as "/etc/passwd", as well as stored certificates, cryptographic keys, stored PINs and so on can be modified and read, in order to gain SSH root access on the Linux-based K7 model. On the Windows CE based K5 model, the password for the Access Manager can additionally be read in plain text from the stored SQLite database.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-07-06
AI Q&A
2026-01-26
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 8 associated CPEs
Vendor Product Version / Range
dormakaba access_manager to BAME_06.00 (exc)
dormakaba access_manager From BAME_04.07.268 (exc)
dormakaba access_manager From BAME_05.01.88 (exc)
dormakaba access_manager From BAME_06.00 (exc)
dormakaba access_manager to XAMB_04.06.212 (exc)
dormakaba access_manager to XAMB_04.05.21 (exc)
dormakaba access_manager to BAME_04.05.16 (exc)
dormakaba access_manager to BAME_04.07.268 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows an attacker with physical access to the device and sufficient time to desolder the flash memory, modify its contents, and then reinstall it because the flash memory is not encrypted. This enables the attacker to read and modify essential files such as /etc/passwd, stored certificates, cryptographic keys, and stored PINs. On the Linux-based K7 model, this can lead to gaining SSH root access. On the Windows CE based K5 model, the password for the Access Manager can be read in plain text from the stored SQLite database.

Impact Analysis

The vulnerability can lead to unauthorized access to the device with root privileges on Linux-based K7 models, allowing an attacker to control the system via SSH. It also exposes sensitive information such as stored certificates, cryptographic keys, and PINs, which can be used for further attacks or impersonation. On Windows CE based K5 models, the Access Manager password can be obtained in plain text, compromising access control. Overall, this can result in a complete compromise of the device's security and confidentiality.

Mitigation Strategies

To mitigate this vulnerability, restrict physical access to the affected devices to prevent attackers from desoldering and modifying the flash memory. Additionally, consider implementing hardware-level encryption for flash memory to protect stored sensitive files and credentials. Since the vulnerability involves missing encryption and physical tampering, physical security controls are critical.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59105. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart