CVE-2025-59108
Unknown Unknown - Not Provided
Default Password and Lack of Enforcement in Access Manager Web Interface

Publication date: 2026-01-26

Last updated on: 2026-01-26

Assigner: SEC Consult Vulnerability Lab

Description
By default, the password for the Access Manager's web interface, is set to 'admin'. In the tested version changing the password was not enforced.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-26
Last Modified
2026-01-26
Generated
2026-06-16
AI Q&A
2026-01-26
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59108
EUVD
EUVD-2025-206368
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
dormakaba access_manager to BAME_06.00 (exc)
dormakaba access_manager From XAMB_04.06.212 (exc)
dormakaba access_manager From XAMB_04.05.21 (exc)
dormakaba access_manager From BAME_04.07.268 (exc)
dormakaba access_manager From BAME_05.01.88 (exc)
dormakaba access_manager From BAME_06.00 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1392 The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists because the Access Manager's web interface uses a default password set to 'admin', and in the tested version, changing this password was not enforced. This means that users could continue using the default password, making the system vulnerable to unauthorized access.

Impact Analysis

The vulnerability can lead to unauthorized access to the Access Manager's web interface since the default password is known and not required to be changed. This can result in potential compromise of the system, unauthorized control, and exposure of sensitive information.

Mitigation Strategies

Change the default password 'admin' for the Access Manager's web interface immediately, as the default password is set and changing it is not enforced by the system.

Compliance Impact

The vulnerability, involving weak default passwords and lack of enforced password changes on the Access Manager's web interface, allows unauthorized access to physical access control systems and sensitive data such as card IDs and PINs. This unauthorized access and potential data exposure can lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data and secure access controls. Failure to secure these systems may result in breaches of confidentiality, integrity, and availability of protected data, thereby violating regulatory requirements. [1, 2]

Detection Guidance

This vulnerability can be detected by checking if the dormakaba Access Manager web interface is accessible with the default password 'admin' without enforcing a password change. Network scanning tools can be used to identify devices running dormakaba Access Manager services, typically on HTTP ports. To verify the default password, one could attempt to log in to the web interface using 'admin' as the password. Additionally, scanning for open ports such as 80/443 (HTTP/HTTPS) or 22 (SSH) on dormakaba devices may help identify vulnerable systems. Specific commands might include using curl or wget to attempt login or check for default credentials, for example: curl -u admin:admin http://<device-ip>/ or using nmap to scan for open HTTP ports: nmap -p 80,443 <device-ip>. However, no explicit commands are provided in the resources. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59108. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart