CVE-2025-59108
Default Password and Lack of Enforcement in Access Manager Web Interface
Publication date: 2026-01-26
Last updated on: 2026-01-26
Assigner: SEC Consult Vulnerability Lab
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dormakaba | access_manager | to BAME_06.00 (exc) |
| dormakaba | access_manager | From XAMB_04.06.212 (exc) |
| dormakaba | access_manager | From XAMB_04.05.21 (exc) |
| dormakaba | access_manager | From BAME_04.07.268 (exc) |
| dormakaba | access_manager | From BAME_05.01.88 (exc) |
| dormakaba | access_manager | From BAME_06.00 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1392 | The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists because the Access Manager's web interface uses a default password set to 'admin', and in the tested version, changing this password was not enforced. This means that users could continue using the default password, making the system vulnerable to unauthorized access.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to the Access Manager's web interface since the default password is known and not required to be changed. This can result in potential compromise of the system, unauthorized control, and exposure of sensitive information.
What immediate steps should I take to mitigate this vulnerability?
Change the default password 'admin' for the Access Manager's web interface immediately, as the default password is set and changing it is not enforced by the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability, involving weak default passwords and lack of enforced password changes on the Access Manager's web interface, allows unauthorized access to physical access control systems and sensitive data such as card IDs and PINs. This unauthorized access and potential data exposure can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data and secure access controls. Failure to secure these systems may result in breaches of confidentiality, integrity, and availability of protected data, thereby violating regulatory requirements. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the dormakaba Access Manager web interface is accessible with the default password 'admin' without enforcing a password change. Network scanning tools can be used to identify devices running dormakaba Access Manager services, typically on HTTP ports. To verify the default password, one could attempt to log in to the web interface using 'admin' as the password. Additionally, scanning for open ports such as 80/443 (HTTP/HTTPS) or 22 (SSH) on dormakaba devices may help identify vulnerable systems. Specific commands might include using curl or wget to attempt login or check for default credentials, for example: curl -u admin:admin http://<device-ip>/ or using nmap to scan for open HTTP ports: nmap -p 80,443 <device-ip>. However, no explicit commands are provided in the resources. [1, 2]