CVE-2025-59106
BaseFortify
Publication date: 2026-01-26
Last updated on: 2026-02-12
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dormakabagroup | dormakaba_access_manager_9200-k7_firmware | to bame_06.00 (exc) |
| dormakabagroup | dormakaba_access_manager_9230-k7_firmware | to bame_06.00 (exc) |
| dormakabagroup | dormakaba_access_manager_9290-k7_firmware | to bame_06.00 (exc) |
| dormakabagroup | dormakaba_access_manager_9200-k5_firmware | * |
| dormakabagroup | dormakaba_access_manager_9230-k5_firmware | * |
| dormakabagroup | dormakaba_access_manager_9290-k5_firmware | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-272 | The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute commands with root privileges if they gain code execution, violating the least privilege principle. This can lead to unauthorized access to sensitive data such as PINs, card IDs, and other credentials, potentially resulting in data breaches. Such breaches could compromise compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data. The ability to unlock doors and manipulate physical access control systems without authentication further increases the risk of unauthorized access to secure areas, impacting compliance with physical security requirements in these regulations. Therefore, this vulnerability poses significant risks to maintaining compliance with common security and privacy standards. [1, 2]
Can you explain this vulnerability to me?
The vulnerability is that the binary responsible for serving the web server and executing all actions from the Web UI runs with root privileges. This violates the least privilege principle, meaning if an attacker exploits other vulnerabilities to execute code on the system, they can run commands with the highest privileges.
How can this vulnerability impact me? :
If an attacker exploits this vulnerability, they can execute commands with root privileges on the system, potentially leading to full system compromise, unauthorized access, and control over the affected device or server.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying vendor patches as soon as possible, enabling authentication mechanisms such as IPsec or mTLS to secure communication interfaces, enforcing strong passwords to replace weak or default credentials, enabling encryption for data in transit, and improving network segmentation to limit access to vulnerable devices. These measures help reduce the risk of exploitation by limiting unauthorized access and protecting sensitive data. [1, 2]