CVE-2025-59106
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-26

Last updated on: 2026-02-12

Assigner: SEC Consult Vulnerability Lab

Description
The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59106
EUVD
EUVD-2025-206378
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
dormakabagroup dormakaba_access_manager_9200-k7_firmware to bame_06.00 (exc)
dormakabagroup dormakaba_access_manager_9230-k7_firmware to bame_06.00 (exc)
dormakabagroup dormakaba_access_manager_9290-k7_firmware to bame_06.00 (exc)
dormakabagroup dormakaba_access_manager_9200-k5_firmware *
dormakabagroup dormakaba_access_manager_9230-k5_firmware *
dormakabagroup dormakaba_access_manager_9290-k5_firmware *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-272 The elevated privilege level required to perform operations such as chroot() should be dropped immediately after the operation is performed.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability is that the binary responsible for serving the web server and executing all actions from the Web UI runs with root privileges. This violates the least privilege principle, meaning if an attacker exploits other vulnerabilities to execute code on the system, they can run commands with the highest privileges.

Impact Analysis

If an attacker exploits this vulnerability, they can execute commands with root privileges on the system, potentially leading to full system compromise, unauthorized access, and control over the affected device or server.

Compliance Impact

The vulnerability allows attackers to execute commands with root privileges if they gain code execution, violating the least privilege principle. This can lead to unauthorized access to sensitive data such as PINs, card IDs, and other credentials, potentially resulting in data breaches. Such breaches could compromise compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data. The ability to unlock doors and manipulate physical access control systems without authentication further increases the risk of unauthorized access to secure areas, impacting compliance with physical security requirements in these regulations. Therefore, this vulnerability poses significant risks to maintaining compliance with common security and privacy standards. [1, 2]

Mitigation Strategies

Immediate mitigation steps include applying vendor patches as soon as possible, enabling authentication mechanisms such as IPsec or mTLS to secure communication interfaces, enforcing strong passwords to replace weak or default credentials, enabling encryption for data in transit, and improving network segmentation to limit access to vulnerable devices. These measures help reduce the risk of exploitation by limiting unauthorized access and protecting sensitive data. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart